class RemoteLoadedModule64(rctypes.transform_type_to_remote64bits(LoadedModule)):
@property
def pe(self):
"""A PE representation of the module
:type: :class:`windows.pe_parse.PEFile`
"""
return pe_parse.GetPEFile(self.baseaddr, target=self._target)
class RemotePEB64(rctypes.transform_type_to_remote64bits(PEB)):
def ptr_flink_to_remote_module(self, ptr_value):
return RemoteLoadedModule64(ptr_value - ctypes.sizeof(rctypes.c_void_p64) * 2, self._target)
@property
def modules(self):
"""The loaded modules present in the PEB
:type: [:class:`LoadedModule`] -- List of loaded modules
"""
res = []
if not self.Ldr.value:
raise ValueError("PEB->Ldr is NULL: cannot walk the module list")
list_entry_ptr = self.Ldr.contents.InMemoryOrderModuleList.Flink.raw_value
current_dll = self.ptr_flink_to_remote_module(list_entry_ptr)
while current_dll.DllBase:
res.append(current_dll)
list_entry_ptr = current_dll.InMemoryOrderLinks.Flink.raw_value
current_dll = self.ptr_flink_to_remote_module(list_entry_ptr)
return res
def create_structure_at(structcls, addr):
return rctypes.transform_type_to_remote64bits(structcls)(addr, target)
import pytest
import windows
import windows.remotectypes as rctypes
import ctypes
import json
from .pfwtest import *
def assert_struct_offset(struct, field, offset):
assert getattr(struct, field).offset == offset
if windows.current_process.bitness == 32:
PEB32 = windows.generated_def.PEB
PEB64 = rctypes.transform_type_to_remote64bits(windows.generated_def.PEB)
SYSTEM_PROCESS_INFORMATION32 = windows.generated_def.SYSTEM_PROCESS_INFORMATION
SYSTEM_PROCESS_INFORMATION64 = rctypes.transform_type_to_remote64bits(
windows.generated_def.SYSTEM_PROCESS_INFORMATION)
else:
PEB32 = rctypes.transform_type_to_remote32bits(windows.generated_def.PEB)
PEB64 = windows.generated_def.PEB
SYSTEM_PROCESS_INFORMATION32 = rctypes.transform_type_to_remote32bits(
windows.generated_def.SYSTEM_PROCESS_INFORMATION)
SYSTEM_PROCESS_INFORMATION64 = windows.generated_def.SYSTEM_PROCESS_INFORMATION
def test_peb32_fields():
assert_peb_offset = lambda field, offset: assert_struct_offset(
PEB32, field, offset)
assert_peb_offset("BeingDebugged", 2)
def create_structure_at(structcls, addr):
return rctypes.transform_type_to_remote64bits(structcls)(addr,
target)
import pytest
import windows
import windows.remotectypes as rctypes
from pfwtest import *
def assert_struct_offset(struct, field, offset):
assert getattr(struct, field).offset == offset
if windows.current_process.bitness == 32:
PEB32 = windows.generated_def.PEB
PEB64 = rctypes.transform_type_to_remote64bits(windows.generated_def.PEB)
else:
PEB32 = rctypes.transform_type_to_remote32bits(windows.generated_def.PEB)
PEB64 = windows.generated_def.PEB
def test_peb32_fields():
assert_peb_offset = lambda field, offset: assert_struct_offset(
PEB32, field, offset)
assert_peb_offset("BeingDebugged", 2)
assert_peb_offset("ImageBaseAddress", 0x8)
assert_peb_offset("Ldr", 0xc)
assert_peb_offset("ProcessParameters", 0x10)
assert_peb_offset("KernelCallbackTable", 0x2c)
assert_peb_offset("UserSharedInfoPtr", 0x2c)
assert_peb_offset("ApiSetMap", 0x38)
assert_peb_offset("NumberOfProcessors", 0x64)
assert_peb_offset("GdiHandleBuffer", 0xc4)