def __receive_loop(self): with self.handle as hDevice: if self.use_alternate_receive: port = self.__get_first_rx_port() if port is None: del self._process_queue[:] self._process_event.set() self._process_thread.join(1.0) self._receive_thread = None return with self._learn_lock: inBuffer = IOCTL_IR_ENTER_PRIORITY_RECEIVE_PARAMS() inBuffer.Receiver = port inBuffer.TimeOut = self._packet_timeout _io_control(IOCTL_IR_ENTER_PRIORITY_RECEIVE, hDevice, inBuffer, NULL) self._process_thread = threading.Thread(target=self.__process_loop) self._process_thread.daemon = True self._process_thread.start() while not self._end_event.is_set(): with self._learn_lock: if self.use_alternate_receive: dwIoControlCode = IOCTL_IR_PRIORITY_RECEIVE outBuffer = IR_PRIORITY_RECEIVE_PARAMS() outBuffer.ByteCount = 36 outBufferSize = ctypes.sizeof( IR_PRIORITY_RECEIVE_PARAMS) offset = ctypes.sizeof(ULONG) else: dwIoControlCode = IOCTL_IR_RECEIVE outBuffer = IR_RECEIVE_PARAMS() outBuffer.ByteCount = 36 outBufferSize = ctypes.sizeof(IR_RECEIVE_PARAMS) offset = 0 offset += ctypes.sizeof(IR_ULONG_PTR) * 2 lpNumberOfBytesTransferred = DWORD() lpOverlapped = OVERLAPPED() lpEventAttributes = NULL bManualReset = BOOL(False) bInitialState = BOOL(False) lpName = NULL lpOverlapped.hEvent = CreateEvent(lpEventAttributes, bManualReset, bInitialState, lpName) if not DeviceIoControl( hDevice, DWORD(dwIoControlCode), NULL, INT(0), ctypes.byref(outBuffer), INT(outBufferSize), ctypes.byref(lpNumberOfBytesTransferred), ctypes.byref(lpOverlapped)): err = ctypes.GetLastError() if err != ERROR_IO_PENDING: CancelIo(hDevice) CloseHandle(lpOverlapped.hEvent) raise ctypes.WinError() bWaitAll = BOOL(False) dwMilliseconds = DWORD(INFINITE) if dwIoControlCode == IOCTL_IR_PRIORITY_RECEIVE: lpEventAttributes = NULL bManualReset = BOOL(False) bInitialState = BOOL(False) lpName = NULL hEvent = self.hEvent = CreateEvent( lpEventAttributes, bManualReset, bInitialState, lpName) nCount = DWORD(2) lpHandles = (HANDLE * 2)(lpOverlapped.hEvent, hEvent) else: nCount = DWORD(1) lpHandles = (HANDLE * 1)(lpOverlapped.hEvent) response = WaitForMultipleObjects( nCount, lpHandles, bWaitAll, dwMilliseconds) if response == WAIT_OBJECT_0: bWait = BOOL(True) if not GetOverlappedResult( hDevice, ctypes.byref(lpOverlapped), ctypes.byref(lpNumberOfBytesTransferred), bWait): err = ctypes.GetLastError() if self.hEvent is not None: CloseHandle(self.hEvent) self.hEvent = None CancelIo(hDevice) CloseHandle(lpOverlapped.hEvent) raise ctypes.WinError(err) else: if self.hEvent is not None: CloseHandle(self.hEvent) self.hEvent = None CancelIo(hDevice) CloseHandle(lpOverlapped.hEvent) if self.hEvent is not None: CloseHandle(self.hEvent) self.hEvent = None break if self.hEvent is not None: CloseHandle(self.hEvent) self.hEvent = None CloseHandle(lpOverlapped.hEvent) byte_count = lpNumberOfBytesTransferred.value data = [] byte_count -= offset byte_count //= ctypes.sizeof(LONG) if not byte_count: continue if dwIoControlCode == IOCTL_IR_PRIORITY_RECEIVE: freq = outBuffer.CarrierFrequency else: freq = None for i in range(byte_count): data += [outBuffer.Data[i]] self._process_queue.append((freq, data[:])) self._process_event.set() if self.use_alternate_receive: _io_control(IOCTL_IR_EXIT_PRIORITY_RECEIVE, hDevice, NULL, NULL) del self._process_queue[:] self._process_event.set() self._process_thread.join(1.0) self._receive_thread = None
def _io_control(ioControlCode, hDevice, inBuffer, outBuffer, outBufferSize=None): dwIoControlCode = DWORD(ioControlCode) if inBuffer is NULL: lpInBuffer = NULL nInBufferSize = INT(0) elif 'PyCPointerType' in str(type(inBuffer)): lpInBuffer = inBuffer nInBufferSize = INT(ctypes.sizeof(inBuffer.contents.__class__)) else: lpInBuffer = ctypes.byref(inBuffer) nInBufferSize = INT(ctypes.sizeof(inBuffer.__class__)) if outBuffer is NULL: lpOutBuffer = NULL nOutBufferSize = INT(0) elif 'PyCPointerType' in str(type(outBuffer)): lpOutBuffer = outBuffer if outBufferSize is None: nOutBufferSize = INT(ctypes.sizeof(outBuffer.contents.__class__)) else: nOutBufferSize = INT(outBufferSize) else: lpOutBuffer = ctypes.byref(outBuffer) if outBufferSize is None: nOutBufferSize = INT(ctypes.sizeof(outBuffer.__class__)) else: nOutBufferSize = INT(outBufferSize) lpNumberOfBytesTransferred = DWORD() lpOverlapped = OVERLAPPED() lpEventAttributes = NULL bManualReset = BOOL(False) bInitialState = BOOL(False) lpName = NULL lpOverlapped.hEvent = CreateEvent(lpEventAttributes, bManualReset, bInitialState, lpName) if not DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, ctypes.byref(lpNumberOfBytesTransferred), ctypes.byref(lpOverlapped)): err = ctypes.GetLastError() if err != ERROR_IO_PENDING: CancelIo(hDevice) CloseHandle(lpOverlapped.hEvent) return 0 nCount = DWORD(1) bWaitAll = BOOL(False) dwMilliseconds = DWORD(INFINITE) lpHandles = (HANDLE * 1)(lpOverlapped.hEvent) response = WaitForMultipleObjects(nCount, lpHandles, bWaitAll, dwMilliseconds) if response == WAIT_OBJECT_0: bWait = BOOL(True) lpNumberOfBytesTransferred = DWORD() if not GetOverlappedResult( hDevice, ctypes.byref(lpOverlapped), ctypes.byref(lpNumberOfBytesTransferred), bWait): CancelIo(hDevice) CloseHandle(lpOverlapped.hEvent) raise ctypes.WinError() CloseHandle(lpOverlapped.hEvent) return lpNumberOfBytesTransferred.value CancelIo(hDevice) CloseHandle(lpOverlapped.hEvent) raise ctypes.WinError() CloseHandle(lpOverlapped.hEvent) return lpNumberOfBytesTransferred.value
print('Lookup privilege {0} successfully!!'.format(lpName)) ''' BOOL PrivilegeCheck( HANDLE ClientToken, PPRIVILEGE_SET RequiredPrivileges, LPBOOL pfResult ); ''' # PrivilegeCheck print('[+] PrivilegeCheck') ClientToken = TokenHandle RequiredPrivileges = PRIVILEGE_SET() RequiredPrivileges.PrivilegeCount = 1 RequiredPrivileges.Privilege.Luid = lpLuid RequiredPrivileges.Privilege.Attributes = SE_PRIVILEGE_ENABLED pfResult = BOOL() response = adv_handle.PrivilegeCheck(ClientToken, ctypes.byref(RequiredPrivileges), ctypes.byref(pfResult)) if response == 0: print('Error code {0} - PrivilegeCheck failed.'.format( k_handle.GetLastError())) else: print('PrivilegeCheck successfully!!') if pfResult.value == 0: print('Privilege {0} is DISABLED'.format(lpName)) else: print('Privilege {0} is ENABLED'.format(lpName))
def open_pipe(): security_attributes = SECURITY_ATTRIBUTES() security_descriptor = PSECURITY_DESCRIPTOR() advapi32.SetSecurityDescriptorDacl( ctypes.byref(security_descriptor), BOOL(1), NULL, BOOL(0) ) DEFAULT_SECURITY_ATTRIBUTES.lpSecurityDescriptor = ( security_descriptor ) security_attributes.nLength = ( ctypes.sizeof(security_attributes) ) if len(self._pipes) == 0: self.__debug('creating pipe') self.__debug('creating entry point') pipe_handle = CreateNamedPipe( pipe_name, ( PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED | FILE_FLAG_FIRST_PIPE_INSTANCE ), ( PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT ), PIPE_UNLIMITED_INSTANCES, self._packet_size, self._packet_size, self._time_out, ctypes.byref(security_attributes) ) else: self.__debug('creating entry point') pipe_handle = CreateNamedPipe( pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, ( PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT ), PIPE_UNLIMITED_INSTANCES, self._packet_size, self._packet_size, self._time_out, ctypes.byref(security_attributes) ) err = GetLastError() if err and err != ERROR_ALREADY_EXISTS: DisconnectNamedPipe(pipe_handle) CloseHandle(pipe_handle) raise PipeError(err) self.__debug('entry point {0} created', pipe_handle) return pipe_handle
SECURITY_ATTRIBUTES = _SECURITY_ATTRIBUTES PSECURITY_ATTRIBUTES = ctypes.POINTER(_SECURITY_ATTRIBUTES) LPSECURITY_ATTRIBUTES = ctypes.POINTER(_SECURITY_ATTRIBUTES) DEFAULT_INSTANCES = 0x0000000A DEFAULT_PACKET_SIZE = 0x00001000 DEFAULT_TIMEOUT = 0x000001F4 DEFAULT_SECURITY_ATTRIBUTES = SECURITY_ATTRIBUTES() DEFAULT_SECURITY_DESCRIPTOR = PSECURITY_DESCRIPTOR() advapi32.SetSecurityDescriptorDacl( ctypes.byref(DEFAULT_SECURITY_DESCRIPTOR), BOOL(1), NULL, BOOL(0) ) DEFAULT_SECURITY_ATTRIBUTES.lpSecurityDescriptor = ( DEFAULT_SECURITY_DESCRIPTOR ) DEFAULT_SECURITY_ATTRIBUTES.nLength = ( ctypes.sizeof(DEFAULT_SECURITY_ATTRIBUTES) ) def _decl(name, ret=None, args=()): fn = getattr(kernel32, name) fn.restype = ret
def savePng(w, h, fmt, data): if type(data) == bytearray: data = create_string_buffer(bytes(data), len(data)) elif type(data) == bytes: data = create_string_buffer(data, len(data)) else: raise RuntimeError("Must pass bytes or bytearray to savePng") stream = POINTER(IStream)() hr = ole32.CreateStreamOnHGlobal(None, BOOL(1), byref(stream)) if hr != 0: raise RuntimeError("Could not create HGlobal stream") try: encoder = POINTER(IWICBitmapEncoder)() hr = factory.contents.lpVtbl.contents.CreateEncoder( factory, (c_ubyte * 16)(*GUID_PNG), c_void_p(0), byref(encoder)) if hr != 0: raise RuntimeError("Could not create encoder") try: #2=no cache hr = encoder.contents.lpVtbl.contents.Initialize( encoder, stream, 2) if hr != 0: raise RuntimeError("Could not create encoder") frame = POINTER(IWICBitmapFrameEncode)() props = c_void_p() hr = encoder.contents.lpVtbl.contents.CreateNewFrame( encoder, byref(frame), byref(props)) if hr != 0: raise RuntimeError("Could not create encoder") try: hr = frame.contents.lpVtbl.contents.Initialize( frame, props) if hr != 0: raise RuntimeError("Could not initialize frame") hr = frame.contents.lpVtbl.contents.SetSize(frame, w, h) if hr != 0: raise RuntimeError("Could not set size") if fmt == "RGB8": stride = w * 3 pf = (GUID_RGBA8) elif fmt == "RGBA8": stride = w * 4 pf = (GUID_RGBA8) elif fmt == "RGB16": stride = w * 6 pf = (GUID_RGBA16) elif fmt == "RGBA16": stride = w * 8 pf = (GUID_RGBA16) else: raise RuntimeError( "Unknown pixel format: Must be RGB8, RGBA8, RGB16, or RGBA16" ) bmp = POINTER(IWICBitmap)() tmp = (c_ubyte * 16)() for i in range(len(pf)): tmp[i] = pf[i] pf = tmp hr = factory.contents.lpVtbl.contents.CreateBitmapFromMemory( factory, w, h, pf, stride, h * stride, data, byref(bmp)) if hr != 0: raise RuntimeError("Cannot create bitmap") try: hr = frame.contents.lpVtbl.contents.SetPixelFormat( frame, pf) if hr != 0: raise RuntimeError("Cannot set pixel format") conv = POINTER(IWICFormatConverter)() hr = factory.contents.lpVtbl.contents.CreateFormatConverter( factory, byref(conv)) if hr != 0: raise RuntimeError("Cannot create converter") try: hr = conv.contents.lpVtbl.contents.Initialize( conv, bmp, pf, 0, c_void_p(0), 0.0, 0) if hr != 0: raise RuntimeError( "Cannot initialize converter") hr = frame.contents.lpVtbl.contents.WriteSource( frame, bmp, c_void_p(0)) if hr != 0: raise RuntimeError("Cannot write source") hr = frame.contents.lpVtbl.contents.Commit(frame) if hr != 0: raise RuntimeError("Cannot commit frame") hr = encoder.contents.lpVtbl.contents.Commit( encoder) if hr != 0: raise RuntimeError("Cannot commit encoder") pos = ULARGE_INTEGER(0) zero = LARGE_INTEGER(0) hr = stream.contents.lpVtbl.contents.Seek( stream, zero, 1, byref(pos)) if hr != 0: raise RuntimeError("Cannot seek end") buffSize = pos.value numLeft = buffSize pngDataBuffer = (c_byte * numLeft)() p = addressof(pngDataBuffer) hr = stream.contents.lpVtbl.contents.Seek( stream, zero, 0, byref(pos)) if hr != 0: raise RuntimeError("Cannot seek start") while numLeft > 0: numRead = ULONG() hr = stream.contents.lpVtbl.contents.Read( stream, p, numLeft, byref(numRead)) if hr != 0: raise RuntimeError("Could not read") numLeft -= numRead.value p += numRead.value return string_at(pngDataBuffer, buffSize) finally: conv.contents.lpVtbl.contents.Release(conv) finally: bmp.contents.lpVtbl.contents.Release(bmp) finally: frame.contents.lpVtbl.contents.Release(frame) finally: encoder.contents.lpVtbl.contents.Release(encoder) finally: stream.contents.lpVtbl.contents.Release(stream)