Exemplo n.º 1
0
    def suspend_differences(self):
        """Get a fresh snapshot of processes and suspend it if PID is unknown.
        """
        hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0x0)
        if hProcessSnap == INVALID_HANDLE_VALUE:
            print('   [!] ERROR-suspend: CreateToolhelp32Snapshot. Code: %d' % (GetLastError(),))
            return

        pe32 = PROCESSENTRY32()
        pe32.dwSize = sizeof(pe32)
        if not Process32First(hProcessSnap, byref(pe32)):
            print('   [!] ERROR-suspend: Process32First. Code: %d' % (GetLastError(),))
            CloseHandle(hProcessSnap)
            return

        to_suspend = []
        while 1:
            if pe32.th32ProcessID not in self.p:
                to_suspend.append(pe32.th32ProcessID)

            code = Process32Next(hProcessSnap, byref(pe32))
            if not code:
                break

        CloseHandle(hProcessSnap)

        self.suspend_process(to_suspend)
Exemplo n.º 2
0
    def create(self, app_name=None, command_line=None, process_attributes=None, thread_attributes=None, inherit_h=False,
            creation_flags=0x0, environment=None, working_dir=None):
        """Creates a new process with the specified parameters.
        More: https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessa

        Args:
            app_name: module to execute
            command_line: command line to execute
            process_attributes: -
            thread_attributes: -
            inherit_h: new process inherit handles from calling process
            creation_flags: see https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-creation-flags
            environment: -
            working_dir: process working directory (i.e None = calling process working directory)

        Returns:
            tuple of (status, error_code)
            status: 0 on success, else 1
            error_code: returned value from CreateProcess on success, else GetLastError()
        """
        ret_code = CreateProcess(app_name, command_line, process_attributes, thread_attributes, inherit_h,
                creation_flags, environment, working_dir, byref(self.startupinfo), byref(self.process_information))

        if not ret_code:
            return (1, GetLastError())
        self.pid = self.process_information.dwProcessId
        self.hprocess = self.process_information.hProcess
        return (0, ret_code)
Exemplo n.º 3
0
    def suspend_process(self, pid):
        """Searches through processes threads and suspend the one with specified PID.

        Args:
            pid: int, process ID which should be suspended
        """
        hThreadSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0x0)

        te32 = THREADENTRY32()
        te32.dwSize = sizeof(te32)
        if not Thread32First(hThreadSnapshot, byref(te32)):
            print('   [!] ERROR-suspend thread: Thread32First. Code: %d' % (GetLastError(),))
            CloseHandle(hThreadSnapshot)
            return

        while 1:
            if te32.th32OwnerProcessID in pid:
                hThread = OpenThread(THREAD_SUSPEND_RESUME, None, te32.th32ThreadID)

                if hThread:
                    SuspendThread(hThread)
                    CloseHandle(hThread)

            code = Thread32Next(hThreadSnapshot, byref(te32))
            if not code:
                break

        CloseHandle(hThreadSnapshot)
Exemplo n.º 4
0
    def resume(self):
        """Resume process.
        More: https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-resumethread

        Returns:
            tuple of (status, error_code)
            status: 0 on success, else 1
            error_code: returned value from ResumeThread on success, else GetLastError()
        """
        ret_code = ResumeThread(self.process_information.hThread)

        if ret_code == DWORD(-1).value - 1:
            return (1, GetLastError())
        return (0, ret_code)
Exemplo n.º 5
0
    def terminate(self):
        """Terminate process.
        More:
            https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-terminateprocess

        Returns:
            tuple of (status, error_code)
            status: 0 on success, else 1
            error_code: returned value from TerminateProcess on success, else GetLastError()
        """
        ret_code = TerminateProcess(self.hprocess, 0x0)

        if not ret_code:
            return (1, GetLastError())
        return (0, ret_code)
Exemplo n.º 6
0
    def snap(self):
        """Get a snapshot of processes on the system and save PID for every process.
        """
        hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0x0)
        if hProcessSnap == INVALID_HANDLE_VALUE:
            print('   [!] ERROR-snap: CreateToolhelp32Snapshot. Code: %d' % (GetLastError(),))
            return

        pe32 = PROCESSENTRY32()
        pe32.dwSize = sizeof(pe32)
        if not Process32First(hProcessSnap, byref(pe32)):
            print('   [!] ERROR-snap: Process32First. Code: %d' % (GetLastError(),))
            CloseHandle(hProcessSnap)
            return

        while 1:
            if pe32.th32ProcessID not in self.p:
                self.p.append(pe32.th32ProcessID)

            code = Process32Next(hProcessSnap, byref(pe32))
            if not code:
                break

        CloseHandle(hProcessSnap)
Exemplo n.º 7
0
    def run(self):
        notify_filters = FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_ATTRIBUTES | \
                FILE_NOTIFY_CHANGE_SIZE | FILE_NOTIFY_CHANGE_LAST_WRITE | FILE_NOTIFY_CHANGE_CREATION | \
                FILE_NOTIFY_CHANGE_SECURITY

        bufsize = (sizeof(FILE_NOTIFY_INFORMATION) + MAX_PATH * 2) * 100
        buffer = create_string_buffer(bufsize)
        returned = DWORD(0)
        while 1:
            if self.stop:
                break
            for p, h in self.hfolders.items():
                memset(buffer, 0, bufsize)
                if not ReadDirectoryChangesW(h, buffer, bufsize,
                                             True, notify_filters,
                                             byref(returned), None, None):
                    print('ERROR: ReadDirectoryChanges() failed. Code: %x!' %
                          GetLastError())

                offs = 0
                for _ in range(100):
                    fni = cast(
                        buffer[offs:offs + sizeof(FILE_NOTIFY_INFORMATION)],
                        PFILE_NOTIFY_INFORMATION).contents
                    namelen, nextoffs = int(fni.FileNameLength), int(
                        fni.NextEntryOffset)
                    name = buffer.raw[offs + 12:offs + 12 +
                                      namelen].decode('utf16')
                    evt = EVENTS.get(fni.Action)
                    if evt is None:
                        continue
                    fn = os.path.join(p, name)
                    if (not os.path.isdir(fn)) and fn not in self.results:
                        try:
                            size = '%s bytes' % os.path.getsize(fn)
                        except Exception:
                            size = 'missing'
                        print('[%s] changed: %s (%s)' % (fn, evt, size),
                              file=self.output)
                        self.results.append(fn)
                    if not nextoffs:
                        break
                    offs += nextoffs