def show_command_line(pid):
# Instance a Process object.
process = Process(pid)
# Print the process command line.
print(process.get_command_line())
def load_dll(pid, filename):
# Instance a Process object.
process = Process(pid)
# Load the DLL library in the process.
process.inject_dll(filename)
def memory_search( pid ):
found = []
# Instance a Process object.
process = Process( pid )
# Search for the string in the process memory.
# Looking for User ID:
userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'
for address in process.search_regexp( userid_pattern ):
found += [address]
print 'Possible UserIDs found:'
found = [i[-1] for i in found]
for i in set(found):
print i.replace('\x00','')
found = []
# Looking for Password:
pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'
for address in process.search_regexp( pass_pattern ):
found += [process.read(address[0]-3,16)]
if found:
print '\nPassword:'******'[0-9]{4}',i.replace('\x00',''))[0]
print pwd
else:
print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]
return found
def kill_thread( pid, kill_tid=None ):
System.request_debug_privileges()
process = Process(pid)
process.scan_threads()
tmp = kill_tid.split(',')
print tmp, ":", type(tmp), ":", len(tmp)
for thread in process.iter_threads():
thread.suspend()
tid = thread.get_tid()
try:
if kill_tid is None or kill_tid == 0:
hThread = thread.get_handle()
win32.CloseHandle(hThread)
win32.TerminateThread(hThread, -999)
else:
if len(tmp)>1:
for s in tmp:
if tid == int(s):
print "kill > ", pid, " > ", tid, " > ", kill_tid
hThread = thread.get_handle()
#win32.CloseHandle(hThread)
win32.TerminateThread(hThread, -999)
except Exception, e:
print e
pass
thread.resume()
def action_WriteProcessMemoryW(event):
# Get the return address of the call
address = event.get_thread().read_stack_dwords(1)[0]
fo = open("C:/unpacked.bin", "w")
# Get the process and thread IDs
pid = event.get_pid()
tid = event.get_tid()
process = Process(pid)
bufferAddr = event.get_thread().read_stack_dwords(
6
)[3] #6 is no of dwords grabbed from stack [0] is retuen addr [3] is 3rd argument
print hex(bufferAddr)
print "xxxxxxx"
memoryMap = process.get_memory_map()
readable = 0
writeable = 0
executable = 0
private = 0
mapped = 0
image = 0
total = 0
for mbi in memoryMap:
#print hex(mbi.BaseAddress)
if mbi.BaseAddress == bufferAddr:
print "dumping data"
print hex(mbi.BaseAddress)
print hex(mbi.RegionSize)
data = process_read(pid, mbi.BaseAddress, mbi.RegionSize)
fo.write(data)
fo.close()
def freeze_threads( pid, _tid=None ):
System.request_debug_privileges()
process = Process(pid)
process.scan_threads()
tmp = _tid.split(',')
print tmp, ":", type(tmp), ":", len(tmp)
for thread in process.iter_threads():
tid = thread.get_tid()
_tid = int(tid)
if _tid is None or _tid == 0 :
thread.suspend()
print tid, " suspend()"
else:
if len(tmp)>1:
for s in tmp:
if tid == int(s):
print tid, " suspend()"
thread.suspend()
else:
if tid == _tid:
print tid, " suspend()"
thread.suspend()
def process_kill( pid ):
# Instance a Process object.
process = Process( pid )
# Kill the process.
process.kill()
def find_meterpreter_trace(pid, rateLimit):
if (System.arch == 'i386' and System.bits == 32):
try:
meterpreter_trace_keywords = [['stdapi_railgun_api', False],
['stdapi_railgun_api_multi', False],
['stdapi_railgun_memread', False],
['stdapi_railgun_memwrite', False]]
process = psutil.Process(pid)
if (process.is_running() and process.name() == 'java.exe'):
meterpreter_trace_keywords = [
[
'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_fs_file',
False
],
[
'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_client',
False
],
[
'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_server',
False
],
[
'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_udp_client',
False
]
]
except Exception, e:
pass #suppress no process name
#print "Searching in",pid
foundIndex = 0
process = Process(pid)
line = 0
#For each ASCII string found in the process memory...
for address, size, data in process.strings():
#print "%s: %s" % (HexDump.address(address),data)
data = data.strip()
if (data.find(meterpreter_trace_keywords[foundIndex][0]) >= 0):
meterpreter_trace_keywords[foundIndex][1] = True
mdlog.print_console(
mdlog.SUCCESS_LEVEL,
(meterpreter_trace_keywords[foundIndex][0]))
foundIndex += 1
if foundIndex > len(meterpreter_trace_keywords) - 1:
break
line += 1
if (line > rateLimit):
return False
if foundIndex < 3:
#print "Found: %d" , foundIndex
return False
else:
found = True
for trace in meterpreter_trace_keywords:
found = found and trace[1]
return found
def main():
pid = int(sys.argv[1])
proc = Process(pid)
#= info
print "pid;", proc.get_pid()
print "is_alive;", proc.is_alive()
print "is_debugged;", proc.is_debugged()
print "is_wow;", proc.is_wow64()
print "arch;", proc.get_arch()
print "bits;", proc.get_bits()
print "filename:", proc.get_filename()
print "exit_time;", proc.get_exit_time()
print "running_time;", proc.get_running_time()
print "service;", proc.get_services()
print "policy;", proc.get_dep_policy()
print "peb;", proc.get_peb()
print "main_module;", proc.get_main_module()
print "peb_address", proc.get_peb_address()
print "entry_point;", proc.get_entry_point()
print "image_base;", proc.get_image_base()
print "image_name;", proc.get_image_name()
print "command_line;", proc.get_command_line()
print "environment;", proc.get_environment()
print "handle;", proc.get_handle()
print "resume;",proc.resume()
def print_api_address(pid, modName, procName):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Process object.
process = Process(pid)
# Lookup it's modules.
process.scan_modules()
# Get the module.
module = process.get_module_by_name(modName)
if not module:
print "Module not found: %s" % modName
return
# Resolve the requested API function address.
address = module.resolve(procName)
# Print the address.
if address:
print "%s!%s == 0x%.08x" % (modName, procName, address)
else:
print "Could not resolve %s in module %s" % (procName, modName)
def unfreeze_threads(pid):
System.request_debug_privileges()
process = Process(pid)
#process.resume()
process.scan_threads()
for thread in process.iter_threads():
thread.resume()
def main():
print("Process memory reader")
print("by Mario Vilas (mvilas at gmail.com)")
print
if len(sys.argv) not in (4, 5):
script = os.path.basename(sys.argv[0])
print(" %s <pid> <address> <size> [binary output file]" % script)
print(" %s <process.exe> <address> <size> [binary output file]" %
script)
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print("Process not found: %s" % sys.argv[1])
return
if len(pl) > 1:
print("Multiple processes found for %s" % sys.argv[1])
for p, n in pl:
print("\t%s: %s" % (HexDump.integer(p), n))
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print("Invalid value for address: %s" % sys.argv[2])
return
try:
size = HexInput.integer(sys.argv[3])
except Exception:
print("Invalid value for size: %s" % sys.argv[3])
return
p = Process(pid)
data = p.read(address, size)
## data = p.peek(address, size)
print("Read %d bytes from PID %d" % (len(data), pid))
if len(sys.argv) == 5:
filename = sys.argv[4]
open(filename, 'wb').write(data)
print("Written %d bytes to %s" % (len(data), filename))
else:
if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
width = 16
else:
width = 8
print
print(HexDump.hexblock(data, address, width=width))
def process_read( pid, address, length ):
# Instance a Process object.
process = Process( pid )
# Read the process memory.
data = process.read( address, length )
# You can also change the process memory.
# process.write( address, "example data" )
# Return a Python string with the memory contents.
return data
def strings(pid):
# Instance a Process object.
process = Process(pid)
# For each ASCII string found in the process memory...
for address, size, data in process.strings():
# Print the string and the memory address where it was found.
print "%s: %s" % (HexDump.address(address), data)
def memory_search(pid, bytes):
# Instance a Process object.
process = Process(pid)
# Search for the string in the process memory.
for address in process.search_bytes(bytes):
# Print the memory address where it was found.
print HexDump.address(address)
def freeze_threads(pid):
System.request_debug_privileges()
process = Process(pid)
process.scan_threads()
for thread in process.iter_threads():
thread.suspend()
def show_environment( pid ):
# Instance a Process object.
process = Process( pid )
# Get its environment variables.
environment = process.get_environment()
# Print the environment variables.
for variable, value in sorted( environment.items() ):
print "%s=%s" % (variable, value)
def print_modules(pid):
# Instance a Process object.
process = Process(pid)
print "Process %d" % process.get_pid()
# ...and the modules in the process.
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\t%s\t%s" % (HexDump.address(module.get_base(),
bits), module.get_filename())
def addProcess(self, pid, is_attached=False):
proc = Process(pid)
proc.pid = pid
self.procs.append(proc)
def readArray(vaddr, typ, s):
# print 'HIHIHI',proc, vaddr, typ, s
return proc.read_structure(vaddr, typ * s)
proc.read_array = readArray
proc.cont = proc.resume
return proc
def push_addr(pid, addr, value):
x = int(addr, 16)
process = Process(pid)
code = '\x68' + struct.pack('<L', int(value, 16))
print "code:", code
print "addr:", x
try:
process.write(x, code)
except Exception, e:
raise
def main(pid):
"""Main function
Args:
pid (int): The pid to connect to
"""
process = Process(pid)
width, height = get_minefield_size(process)
print('Width is %d' % width)
print('Height is %d' % height)
print()
print('\n'.join(find_mines(process, width, height)))
def main():
print("Process memory writer")
print("by Mario Vilas (mvilas at gmail.com)")
print()
if len(sys.argv) < 4:
script = os.path.basename(sys.argv[0])
print(" %s <pid> <address> {binary input file / hex data}" % script)
print(" %s <process.exe> <address> {binary input file / hex data}" %
script)
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except Exception:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print("Process not found: %s" % sys.argv[1])
return
if len(pl) > 1:
print("Multiple processes found for %s" % sys.argv[1])
for p, n in pl:
print("\t%s: %s" % (HexDump.integer(p), n))
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print("Invalid value for address: %s" % sys.argv[2])
return
filename = ' '.join(sys.argv[3:])
if os.path.exists(filename):
data = open(filename, 'rb').read()
print("Read %d bytes from %s" % (len(data), filename))
else:
try:
data = HexInput.hexadecimal(filename)
except Exception:
print("Invalid filename or hex block: %s" % filename)
return
p = Process(pid)
p.write(address, data)
print("Written %d bytes to PID %d" % (len(data), pid))
def print_threads_and_modules(pid):
# Instance a Process object.
process = Process(pid)
print "Process %d" % process.get_pid()
# Now we can enumerate the threads in the process...
print "Threads:"
for thread in process.iter_threads():
print "\t%d" % thread.get_tid()
# ...and the modules in the process.
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\t%s\t%s" % (HexDump.address(module.get_base(),
bits), module.get_filename())
def print_threads_and_modules(pid):
process = Process(pid)
print "Process %d" % process.get_pid()
print "Threads:"
for thread in process.iter_threads():
print "\t %d" % thread.get_tid()
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\t%s\t%s" % (HexDump.address(module.get_base(),
bits), module.get_filename())
def alloc_string(pid, addr, value):
x = int(addr, 16)
process = Process(pid)
lpNewAddr = process.malloc(len(value) + 1)
newval = value + '\x0a'
print HexDump.hexadecimal(newval, '\\x')
try:
process.write(lpNewAddr, newval)
except Exception, e:
process.free(lpNewAddr)
raise
def hex_string(pid, addr, size, flag=1):
x = int(addr, 16)
process = Process(pid)
data = process.read(x, size * 8)
#hexdump = HexDump.printable( data )
if flag == 3:
print HexDump.hexblock_dword(data, address=True, width=16)
elif flag == 2:
print HexDump.hexblock_word(data, address=True, width=16)
else:
print HexDump.hexblock(data, address=True, width=16)
def proces_info(pid, addr=""):
x = int(addr, 16)
process = Process(pid)
print "get_arch:", process.get_arch()
print "get_bits:", process.get_bits()
# print "get_main_module:", process.get_main_module()
print "get_command_line:", process.get_command_line()
print "get_image_name:", (process.get_image_name())
print "get_image_base:", hex(process.get_image_base())
print "get_peb:", hex(process.get_peb().ImageBaseAddress)
print "get_peb_address:", hex(process.get_peb_address())
print "get_entry_point:", hex(process.get_entry_point())
def print_label(pid, address):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Process object.
process = Process(pid)
# Lookup it's modules.
process.scan_modules()
# Resolve the requested label address.
label = process.get_label_at_address(address)
# Print the label.
print("%s == 0x%.08x" % (label, address))
def read_string(pid, addr):
x = int(addr, 16)
process = Process(pid)
# print "get_main_module:", process.get_main_module()
# print "get_peb:", hex(process.get_peb().ImageBaseAddress)
print "read: ", x
print
print "string :"
read = process.peek_string(x)
print read
print HexDump.hexadecimal(read, '\\x')
def monitor_main():
try:
while (True):
status = main_loop()
try:
for pid in status:
Process(pid).kill()
except:
pass
#mdlog.print_console(mdlog.INFO_LEVEL,"[*] out of main loop")
time.sleep(5)
except KeyboardInterrupt:
mdlog.print_console(mdlog.INFO_LEVEL, "[*] Force exit")
except Exception, e:
mdlog.print_console(mdlog.ERROR_LEVEL, "[-] Error: ", str(e))
