def get_explorer_pid(): # Request debug privileges. System.request_debug_privileges() # Scan for running processes. system = System() try: system.scan_processes() #system.scan_process_filenames() except WindowsError: system.scan_processes_fast() # For each running process... for process in system.iter_processes(): try: pid = process.get_pid() if pid in (0, 4, 8): continue if dev: print "* Process:", process.get_filename(), "Pid:", pid, "Time:", process.get_running_time() if process.get_filename() == "explorer.exe": if process.get_running_time() < 300000: return pid # Skip processes we don't have permission to access. except WindowsError, e: if e.winerror == ERROR_ACCESS_DENIED: continue raise
def testRunningProcesses(self): validator = MemoryValidatorClass() validator.Initialize("c:\\mem\\user\\") CounterMonitor.Start() System.request_debug_privileges() with UpdateCounterForScope("main"): system = System() system.scan_processes() totalProcesses = system.get_process_count() for processIndex, process in enumerate(system.iter_processes()): fileName = getattr(process, "fileName") pid = getattr(process, "dwProcessId") if not fileName or not pid: continue validator.ImageName = fileName logging.info("---------------------------------------------") validator.Message = "[{}] fileName:{} pid:{}".format(processIndex, fileName, pid) logging.info(validator.Message) if not any(s in fileName for s in self.PROCESS_TO_SCAN): continue print "------process {}/{} {}-------".format(processIndex, totalProcesses, fileName) with validator.ExceptionHandler("Failed comparing {0}".format(fileName)): process.scan_modules() mods = {} for module in process.iter_modules(): baseDllName = ntpath.basename(module.get_filename().lower()) mod = { "BaseDllName": baseDllName, "FullDllName": module.get_filename().lower(), "StartAddr": module.get_base(), "EndAddr": module.get_base() + module.get_size(), "SizeOfImage": module.get_size(), } if not mods.get(baseDllName): mods[baseDllName] = [] mods[baseDllName].append(mod) validator.BuildLoadedModuleAddressesFromWinAppDbg(mods) totalMods = len(mods) for modIndex, modList in enumerate(mods.itervalues()): print "module {}/{} {}".format(modIndex, totalMods, modList[0]["BaseDllName"]) for modIndex, mod in enumerate(modList): validator.InitializeModuleInfoFromWinAppDbg(mod) with validator.ExceptionHandler("failed comparing {0}".format(mod)): memoryData = process.read(validator.DllBase, validator.SizeOfImage) if not memoryData: validator.Warn("failed to read memory data") continue validator.CompareExe(memoryData, validator.FullDllPath) CounterMonitor.Stop() validator.DumpFinalStats()
def testRunningProcesses(self): validator = MemoryValidatorClass() validator.Initialize('c:\\mem\\user\\') CounterMonitor.Start() System.request_debug_privileges() with UpdateCounterForScope('main'): system = System() system.scan_processes() totalProcesses = system.get_process_count() for processIndex, process in enumerate(system.iter_processes()): fileName = getattr(process, 'fileName') pid = getattr(process, 'dwProcessId') if not fileName or not pid: continue validator.ImageName = fileName logging.info("---------------------------------------------") validator.Message = "[{}] fileName:{} pid:{}".format(processIndex, fileName, pid) logging.info(validator.Message) if not any(s in fileName for s in self.PROCESS_TO_SCAN): continue print '------process {}/{} {}-------'.format(processIndex, totalProcesses, fileName) with validator.ExceptionHandler('Failed comparing {0}'.format(fileName)): process.scan_modules() mods = {} for module in process.iter_modules(): baseDllName = ntpath.basename(module.get_filename().lower()) mod = { 'BaseDllName' : baseDllName, 'FullDllName' : module.get_filename().lower(), 'StartAddr' : module.get_base(), 'EndAddr' : module.get_base() + module.get_size(), 'SizeOfImage' : module.get_size() } if not mods.get(baseDllName): mods[baseDllName] = [] mods[baseDllName].append(mod) validator.BuildLoadedModuleAddressesFromWinAppDbg(mods) totalMods = len(mods) for modIndex, modList in enumerate(mods.itervalues()): print 'module {}/{} {}'.format(modIndex, totalMods, modList[0]['BaseDllName']) for modIndex, mod in enumerate(modList): validator.InitializeModuleInfoFromWinAppDbg(mod) with validator.ExceptionHandler('failed comparing {0}'.format(mod)): memoryData = process.read(validator.DllBase, validator.SizeOfImage) if not memoryData: validator.Warn('failed to read memory data') continue validator.CompareExe(memoryData, validator.FullDllPath) CounterMonitor.Stop() validator.DumpFinalStats()
table.addRow( *header ) table.addRow( *separator ) # Request debug privileges. System.request_debug_privileges() # Scan for running processes. system = System() try: system.scan_processes() #system.scan_process_filenames() except WindowsError: system.scan_processes_fast() # For each running process... for process in system.iter_processes(): try: # Get the process ID. pid = process.get_pid() # Skip "special" process IDs. if pid in (0, 4, 8): continue # Skip 64 bit processes. if process.get_bits() != 32: continue # Get the DEP policy flags. flags, permanent = process.get_dep_policy()
table.addRow(*header) table.addRow(*separator) # Request debug privileges. System.request_debug_privileges() # Scan for running processes. system = System() try: system.scan_processes() #system.scan_process_filenames() except WindowsError: system.scan_processes_fast() # For each running process... for process in system.iter_processes(): try: # Get the process ID. pid = process.get_pid() # Skip "special" process IDs. if pid in (0, 4, 8): continue # Skip 64 bit processes. if process.get_bits() != 32: continue # Get the DEP policy flags. flags, permanent = process.get_dep_policy()