2.1. Processes and Threads¶
2.1.1. CurrentProcess¶
Note
See sample windows.current_process
-
class
windows.winobject.process.
CurrentProcess
[source]¶ Bases:
windows.winobject.process.Process
The current process
-
allocated_memory
(**kwds)¶ ContextManager to allocate memory and free it
Type: int
– the address of the allocated memory
-
create_thread
(lpStartAddress, lpParameter, dwCreationFlags=0)[source]¶ Create a new thread
Return type: WinThread
orDeadThread
-
execute
(code, parameter=0)[source]¶ Execute native code
code
in the current thread.Return type: int
the return value of the native code
-
get_mapped_filename
(addr)¶ The filename mapped at address
addr
orNone
Return type: unicode
orNone
-
handle
¶ An handle on the object
Type: HANDLE
Note
The handle is automaticaly closed when the object is destroyed
-
load_library
(dll_path)[source]¶ Load the library in current process
Return type: LoadedModule
-
memory_state
()¶ Yield the memory information for the whole address space of the process
Yield: MEMORY_BASIC_INFORMATION
-
query_memory
(addr)¶ Query the memory informations about page at
addr
Return type: MEMORY_BASIC_INFORMATION
-
read_byte
(addr)¶ Read a
CHAR
ataddr
-
read_dword
(addr)¶ Read a
DWORD
ataddr
-
read_ptr
(addr)¶ Read a
PTR
ataddr
-
read_qword
(addr)¶ Read a
ULONG64
ataddr
-
read_short
(addr)¶ Read a
SHORT
ataddr
-
time_info
¶ The time information of the process (creation, kernel/user time, exit time)
Type: TimeInfo
-
virtual_alloc
(size, prot=PAGE_EXECUTE_READWRITE(0x40))[source]¶ Allocate memory in the process
Returns: The address of the allocated memory Return type: int
-
virtual_protect
(addr, size, protect, old_protect=None)¶ Change the access right of one or more page of the process
-
virtual_protected
(**kwds)¶ A context manager for local virtual_protect (old Protection are restored at exit)
-
write_byte
(addr, byte)¶ write a byte at
addr
-
write_dword
(addr, dword)¶ write a dword at
addr
-
write_ptr
(addr, value)¶ Write a
PTR
ataddr
-
write_qword
(addr, qword)¶ write a qword at
addr
-
write_short
(addr, word)¶ write a word at
addr
-
2.1.2. CurrentThread¶
-
class
windows.winobject.process.
CurrentThread
[source]¶ Bases:
windows.winobject.process.Thread
The current thread
-
handle
¶ An handle on the object
Type: HANDLE
Note
The handle is automaticaly closed when the object is destroyed
-
open_token
(flags=MAXIMUM_ALLOWED(0x2000000), as_self=False)¶ Open the Thread token if any (Impersonation) else return None.
as_self
tells which security context should be usedReturns: Token
-
owner
¶ The current process
Type: CurrentProcess
-
set_token
(token)¶ Set the token for the thread (impersonation). Setting the token to None revert the impersonation
-
token
¶ The thread
Token
Getter: open_token()
Setter: set_token()
-
2.1.3. WinProcess¶
Note
See sample Remote process : WinProcess
-
class
windows.winobject.process.
WinProcess
(pid=None, handle=None, name=None, ppid=None)[source]¶ Bases:
windows.winobject.process.Process
A Process on the system
-
allocated_memory
(**kwds)¶ ContextManager to allocate memory and free it
Type: int
– the address of the allocated memory
-
create_thread
(addr, param)[source]¶ Create a remote thread
Return type: WinThread
orDeadThread
-
execute
(code, parameter=0)¶ Execute some native code in the context of the process
Returns: The thread executing the code Return type: WinThread
orDeadThread
-
execute_python
(pycode)[source]¶ Execute Python code into the remote process.
This function waits for the remote process to end and raises an exception if the remote thread raised one
-
execute_python_unsafe
(pycode)[source]¶ Execute Python code into the remote process.
Return type: rtype: WinThread
orDeadThread
: The thread executing the python code
-
get_mapped_filename
(addr)¶ The filename mapped at address
addr
orNone
Return type: unicode
orNone
-
handle
¶ An handle on the object
Type: HANDLE
Note
The handle is automaticaly closed when the object is destroyed
-
load_library
(dll_path)[source]¶ Load the library in remote process
Return type: LoadedModule
-
memory_state
()¶ Yield the memory information for the whole address space of the process
Yield: MEMORY_BASIC_INFORMATION
-
query_memory
(addr)¶ Query the memory informations about page at
addr
Return type: MEMORY_BASIC_INFORMATION
-
read_byte
(addr)¶ Read a
CHAR
ataddr
-
read_dword
(addr)¶ Read a
DWORD
ataddr
-
read_ptr
(addr)¶ Read a
PTR
ataddr
-
read_qword
(addr)¶ Read a
ULONG64
ataddr
-
read_short
(addr)¶ Read a
SHORT
ataddr
-
read_string
(addr)¶ Read an ascii string at
addr
-
read_wstring
(addr)¶ Read a windows UTF16 string at
addr
-
time_info
¶ The time information of the process (creation, kernel/user time, exit time)
Type: TimeInfo
-
virtual_alloc
(size, prot=PAGE_EXECUTE_READWRITE(0x40), addr=None)[source]¶ Allocate memory in the process
Returns: The address of the allocated memory Return type: int
-
virtual_protect
(addr, size, protect, old_protect=None)¶ Change the access right of one or more page of the process
-
virtual_protected
(**kwds)¶ A context manager for local virtual_protect (old Protection are restored at exit)
-
wait
(timeout=INFINITE(0xffffffff))¶ Wait for the object
-
write_byte
(addr, byte)¶ write a byte at
addr
-
write_dword
(addr, dword)¶ write a dword at
addr
-
write_ptr
(addr, value)¶ Write a
PTR
ataddr
-
write_qword
(addr, qword)¶ write a qword at
addr
-
write_short
(addr, word)¶ write a word at
addr
-
2.1.4. WinThread¶
-
class
windows.winobject.process.
WinThread
(tid=None, handle=None, owner_pid=None, owner=None)[source]¶ Bases:
windows.winobject.process.Thread
Represent a thread
-
context
¶ The context of the thread, type depend of the target process.
Type: windows.exception.ECONTEXT32
orwindows.exception.ECONTEXT64
orwindows.exception.ECONTEXTWOW64
-
context_syswow
¶ The 64 bits context of a syswow thread.
Type: windows.exception.ECONTEXT64
-
handle
¶ An handle on the object
Type: HANDLE
Note
The handle is automaticaly closed when the object is destroyed
-
open_token
(flags=MAXIMUM_ALLOWED(0x2000000), as_self=False)¶ Open the Thread token if any (Impersonation) else return None.
as_self
tells which security context should be usedReturns: Token
-
owner
¶ The Process owning the thread
Type: WinProcess
-
set_token
(token)¶ Set the token for the thread (impersonation). Setting the token to None revert the impersonation
-
token
¶ The thread
Token
Getter: open_token()
Setter: set_token()
-
wait
(timeout=INFINITE(0xffffffff))¶ Wait for the object
-
-
class
windows.winobject.process.
DeadThread
(handle, tid=None)[source]¶ Bases:
windows.utils.pythonutils.AutoHandle
An already dead thread (returned only by API returning a new thread if thread die before being returned)
-
handle
¶ An handle on the object
Type: HANDLE
Note
The handle is automaticaly closed when the object is destroyed
-
wait
(timeout=INFINITE(0xffffffff))¶ Wait for the object
-
2.2. PEB Exploration¶
The windows
module is able to parse the PEB of the current process or remote process.
The PEB
is accessible via process.peb
and is of type PEB
.
Note
See sample PEB exploration
2.2.1. PEB¶
-
class
windows.winobject.process.
PEB
[source]¶ The PEB (Process Environment Block) of the current process
-
apisetmap
¶ The
ApiSetMap
of the processReturn type: A subclass of ApiSetMap
Raise: NotImplementedError
– Before6.2
ApiSetMap did not existRaise: NotImplementedError
– Not implemented for remote process
-
commandline
¶ The CommandLine of the PEB
Type: LSA_UNICODE_STRING
-
exe
¶ The executable of the process, as pointed by PEB.ImageBaseAddress
Type: windows.pe_parse.PEFile
-
imagepath
¶ The ImagePathName of the PEB
Type: LSA_UNICODE_STRING
-
modules
¶ The loaded modules present in the PEB
Type: [ LoadedModule
] – List of loaded modules
-
2.2.2. LoadedModule¶
2.2.3. ApiSetMap¶
Note
see sample ApiSetMap
-
class
windows.winobject.apisetmap.
ApiSetMap
(base)[source]¶ The base class for the ApiSeMap (see Runtime DLL name resolution: ApiSetSchema)
-
apisetmap_dict
¶ The apisetmap dll-mapping content extracted from memory as a
dict
key -> value example
:u'ext-ms-win-advapi32-encryptedfile-l1-1-1' -> u'advapi32.dll'
-
resolution_dict
¶ The
dict
based onapisetmap_dict
with only the part checked byWindows
.Windows
does not care about what is after the last-
key -> value example
:u'ext-ms-win-advapi32-encryptedfile-l1-1-' -> u'advapi32.dll'
-
resolve
(dllname)[source]¶ The method used to resolve a DLL name using the ApiSetMap. The behavior should match the non-exported function
ntdll!ApiSetResolveToHost
-
version
= None¶ The version of the ApiSetMap
-
Note
Currently supported version for the ApiSetMap are 2/4/6
-
class
windows.winobject.apisetmap.
ApiSetMapVersion2
(base)[source]¶ Represent an ApiSetMap version-2
-
version
= 2¶ The version of the ApiSetMap
-
2.3. PEFile - Parsing loaded PE¶
2.3.1. windows.pe_parse
¶
-
windows.pe_parse.
GetPEFile
(baseaddr, target=None, force_bitness=None)[source]¶ Returns a
PEFile
to explore a PE loaded at baseaddr in process target.Return type: PEFile
Note
If target is
None
it refers to the current process
2.3.1.1. PEFile¶
-
class
windows.pe_parse.
PEFile
(target, baseaddr, targetedbitness, transformers)[source]¶ Represent a PE loaded in a process (current or remote)
-
export_name
¶ The Name attribute of the
EXPORT_DIRECTORY
-
2.3.1.2. IATEntry¶
-
class
windows.pe_parse.
IATEntry
[source]¶ Represent an entry in the IAT of a module Can be used to get resolved value and setup hook
-
value
¶ int
: The content (destination) of the IAT entryWarning
value is a descriptor. Setting its value will actually CHANGE THE IAT ENTRY, resulting in a segfault if no VirtualProtect have been done.
Note
-
set_hook
(callback, types=None)[source]¶ Setup a hook on the entry and return it. You MUST keep a reference to the hook while the hook is enabled.
Parameters: callback – the hook
Note
see Hook protocol
Return type: windows.hooks.IATHook
Warning
This works only for PEFile with the current process as target.
-