def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
pbi = create_string_buffer(530)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process, 27, byref(pbi),
sizeof(pbi), byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find(b"\0\0") + 1]
return fbuf.decode("utf16", errors="ignore")
except Exception as e:
log.info(e)
return ""
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
process_handle = self.open_process()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(200)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(process_handle, 27, byref(pbi),
sizeof(pbi), byref(size))
KERNEL32.CloseHandle(process_handle)
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find("\x00\x00") + 1]
return fbuf.decode("utf16", errors="ignore")
except:
return ""
return ""
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(200)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process, 27, byref(pbi),
sizeof(pbi), byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find('\0\0') + 1]
return fbuf.decode('utf16', errors="ignore")
except:
return ""
return ""
def get_parent_pid(self):
"""Get the Parent Process ID."""
class PROCESS_BASIC_INFORMATION(Structure):
_fields_ = [
("ExitStatus", c_void_p),
("PebBaseAddress", c_void_p),
("AffinityMask", c_void_p),
("BasePriority", c_void_p),
("UniqueProcessId", c_void_p),
("InheritedFromUniqueProcessId", c_void_p),
]
NT_SUCCESS = lambda val: val >= 0
pbi = PROCESS_BASIC_INFORMATION()
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
process_handle = self.open_process()
ret = NTDLL.NtQueryInformationProcess(
process_handle, 0, byref(pbi), sizeof(pbi), byref(size)
)
KERNEL32.CloseHandle(process_handle)
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi.InheritedFromUniqueProcessId
def is_critical(self):
"""Determines if process is 'critical' or not, so we can prevent terminating it"""
if not self.h_process:
self.open()
val = c_ulong(0)
retlen = c_ulong(0)
ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen))
if NT_SUCCESS(ret) and val.value:
return True
return False
def load_driver(self):
regkey = (u"\\Registry\\Machine\\System"
u"\\CurrentControlSet\\Services\\%s" % self.install_name)
us = UNICODE_STRING()
us.Buffer = regkey
us.Length = len(regkey) * 2
us.MaximumLength = us.Length
status = NTDLL.NtLoadDriver(ctypes.byref(us)) % 2**32
if status:
raise CuckooError("Unable to load the %s driver: 0x%x" %
(self.driver_name, status))
def get_parent_pid(self):
"""Get the Parent Process ID."""
if not self.h_process:
self.open()
pbi = (ULONG_PTR * 6)()
size = c_ulong()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process, 0, byref(pbi), sizeof(pbi), byref(size))
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
def get_parent_pid(self):
"""Get the Parent Process ID."""
process_handle = self.open_process()
NT_SUCCESS = lambda val: val >= 0
pbi = (c_int * 6)()
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(process_handle, 0, byref(pbi),
sizeof(pbi), byref(size))
KERNEL32.CloseHandle(process_handle)
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
def pids_from_process_name_list(self, namelist):
proclist = []
pidlist = []
buf = create_string_buffer(1024 * 1024)
p = cast(buf, c_void_p)
retlen = c_ulong(0)
retval = NTDLL.NtQuerySystemInformation(5, buf, 1024 * 1024, byref(retlen))
if retval:
return []
proc = cast(p, POINTER(SYSTEM_PROCESS_INFORMATION)).contents
while proc.NextEntryOffset:
p.value += proc.NextEntryOffset
proc = cast(p, POINTER(SYSTEM_PROCESS_INFORMATION)).contents
proclist.append((proc.ImageName.Buffer[:proc.ImageName.Length/2], proc.UniqueProcessId))
for proc in proclist:
lowerproc = proc[0].lower()
for name in namelist:
if lowerproc == name:
pidlist.append(proc[1])
break
return pidlist
