2.1. Processes and Threads¶
2.1.1. CurrentProcess¶
Note
See sample windows.current_process
- class windows.winobject.process.CurrentProcess[source]¶
Bases:
Process
The current process
- allocated_memory(size, prot=PAGE_EXECUTE_READWRITE(0x40))¶
ContextManager to allocate memory and free it
- Type:
int
– the address of the allocated memory
- property bitness¶
The bitness of the process
- Type:
int
– 32 or 64
- create_thread(lpStartAddress, lpParameter, dwCreationFlags=0)[source]¶
Create a new thread
- Return type:
- execute(code, parameter=0)[source]¶
Execute native code
code
in the current thread.- Return type:
int
the return value of the native code
- property exit_code¶
The exit code of the process :
STILL_ACTIVE
means the process is not dead- Type:
int
- get_mapped_filename(addr)¶
The filename mapped at address
addr
orNone
- Return type:
unicode
orNone
- property handle¶
An handle on the object
- Type:
HANDLE
Note
The handle is automaticaly closed when the object is destroyed
- property is_exit¶
True
if the process is terminated- Type:
bool
- property is_wow_64¶
True
if the process is a SysWow64 process (32bit process on 64bits system).- Type:
bool
- memory_state()¶
Yield the memory information for the whole address space of the process
- Yield:
- property pid¶
Process ID
- Type:
int
- property ppid¶
Parent Process ID
- Type:
int
- property priority¶
- query_memory(addr)¶
Query the memory informations about page at
addr
- Return type:
- read_byte(addr)¶
Read a
CHAR
ataddr
- read_dword(addr)¶
Read a
DWORD
ataddr
- read_ptr(addr)¶
Read a
PTR
ataddr
- read_qword(addr)¶
Read a
ULONG64
ataddr
- read_short(addr)¶
Read a
SHORT
ataddr
- property time_info¶
The time information of the process (creation, kernel/user time, exit time)
- Type:
TimeInfo
- virtual_alloc(size, prot=PAGE_EXECUTE_READWRITE(0x40))[source]¶
Allocate memory in the process
- Returns:
The address of the allocated memory
- Return type:
int
- virtual_protect(addr, size, protect, old_protect=None)¶
Change the access right of one or more page of the process
- virtual_protected(addr, size, protect)¶
A context manager for local virtual_protect (old Protection are restored at exit)
- write_byte(addr, byte)¶
write a byte at
addr
- write_dword(addr, dword)¶
write a dword at
addr
- write_ptr(addr, value)¶
Write a
PTR
ataddr
- write_qword(addr, qword)¶
write a qword at
addr
- write_short(addr, word)¶
write a word at
addr
2.1.2. CurrentThread¶
- class windows.winobject.process.CurrentThread[source]¶
Bases:
Thread
The current thread
- property handle¶
An handle on the object
- Type:
HANDLE
Note
The handle is automaticaly closed when the object is destroyed
- open_token(flags=MAXIMUM_ALLOWED(0x2000000), as_self=False)¶
Open the Thread token if any (Impersonation) else return None.
as_self
tells which security context should be used- Returns:
- property owner¶
The current process
- Type:
- set_token(token)¶
Set the token for the thread (impersonation). Setting the token to None revert the impersonation
- property tid¶
Thread ID
- Type:
int
2.1.3. WinProcess¶
Note
See sample Remote process : WinProcess
- class windows.winobject.process.WinProcess(pid=None, handle=None, name=None, ppid=None)[source]¶
Bases:
Process
A Process on the system
- allocated_memory(size, prot=PAGE_EXECUTE_READWRITE(0x40))¶
ContextManager to allocate memory and free it
- Type:
int
– the address of the allocated memory
- property bitness¶
The bitness of the process
- Returns:
int
– 32 or 64
- execute(code, parameter=0)¶
Execute some native code in the context of the process
- Returns:
The thread executing the code
- Return type:
- execute_python(pycode)[source]¶
Execute Python code into the remote process.
This function waits for the remote process to end and raises an exception if the remote thread raised one
- execute_python_unsafe(pycode)[source]¶
Execute Python code into the remote process.
- Return type:
- rtype:
WinThread
orDeadThread
: The thread executing the python code
- property exit_code¶
The exit code of the process :
STILL_ACTIVE
means the process is not dead- Type:
int
- get_mapped_filename(addr)¶
The filename mapped at address
addr
orNone
- Return type:
unicode
orNone
- property handle¶
An handle on the object
- Type:
HANDLE
Note
The handle is automaticaly closed when the object is destroyed
- property is_exit¶
True
if the process is terminated- Type:
bool
- property is_wow_64¶
True
if the process is a SysWow64 process (32bit process on 64bits system).- Type:
bool
- memory_state()¶
Yield the memory information for the whole address space of the process
- Yield:
- property name¶
Name of the process
- Type:
str
- property peb_addr¶
The address of the PEB
- Type:
int
- property pid¶
Process ID
- Type:
int
- property ppid¶
Parent Process ID
- Type:
int
- property priority¶
- query_memory(addr)¶
Query the memory informations about page at
addr
- Return type:
- read_byte(addr)¶
Read a
CHAR
ataddr
- read_dword(addr)¶
Read a
DWORD
ataddr
- read_ptr(addr)¶
Read a
PTR
ataddr
- read_qword(addr)¶
Read a
ULONG64
ataddr
- read_short(addr)¶
Read a
SHORT
ataddr
- read_string(addr)¶
Read an ascii string at
addr
- read_wstring(addr)¶
Read a windows UTF16 string at
addr
- property time_info¶
The time information of the process (creation, kernel/user time, exit time)
- Type:
TimeInfo
- virtual_alloc(size, prot=PAGE_EXECUTE_READWRITE(0x40), addr=None)[source]¶
Allocate memory in the process
- Returns:
The address of the allocated memory
- Return type:
int
- virtual_protect(addr, size, protect, old_protect=None)¶
Change the access right of one or more page of the process
- virtual_protected(addr, size, protect)¶
A context manager for local virtual_protect (old Protection are restored at exit)
- wait(timeout=INFINITE(0xffffffff))¶
Wait for the object
- write_byte(addr, byte)¶
write a byte at
addr
- write_dword(addr, dword)¶
write a dword at
addr
- write_ptr(addr, value)¶
Write a
PTR
ataddr
- write_qword(addr, qword)¶
write a qword at
addr
- write_short(addr, word)¶
write a word at
addr
2.1.4. WinThread¶
- class windows.winobject.process.WinThread(tid=None, handle=None, owner_pid=None, owner=None)[source]¶
Bases:
Thread
Represent a thread
- property context¶
The context of the thread, type depend of the target process.
- Type:
windows.exception.ECONTEXT32
orwindows.exception.ECONTEXT64
orwindows.exception.ECONTEXTWOW64
- property context_syswow¶
The 64 bits context of a syswow thread.
- Type:
windows.exception.ECONTEXT64
- property exit_code¶
The exit code of the thread :
STILL_ACTIVE
means the process is not dead- Type:
int
- property handle¶
An handle on the object
- Type:
HANDLE
Note
The handle is automaticaly closed when the object is destroyed
- property is_exit¶
True
if the thread is terminated- Type:
bool
- open_token(flags=MAXIMUM_ALLOWED(0x2000000), as_self=False)¶
Open the Thread token if any (Impersonation) else return None.
as_self
tells which security context should be used- Returns:
- property owner¶
The Process owning the thread
- Type:
- set_token(token)¶
Set the token for the thread (impersonation). Setting the token to None revert the impersonation
- property start_address¶
The start address of the thread
- Type:
int
- property teb_base¶
The address of the thread’s TEB. If the owner is a SysWow64 process, return the TEB32.
- Type:
int
- property teb_syswow_base¶
The address of the thread’s TEB64 for a SysWow64 process
- Type:
int
- property tid¶
Thread ID
- Type:
int
- wait(timeout=INFINITE(0xffffffff))¶
Wait for the object
- class windows.winobject.process.DeadThread(handle, tid=None)[source]¶
Bases:
AutoHandle
An already dead thread (returned only by API returning a new thread if thread die before being returned)
- property exit_code¶
The exit code of the thread :
STILL_ACTIVE
means the process is not dead- Type:
int
- property handle¶
An handle on the object
- Type:
HANDLE
Note
The handle is automaticaly closed when the object is destroyed
- property is_exit¶
True
if the thread is terminated- Type:
bool
- wait(timeout=INFINITE(0xffffffff))¶
Wait for the object
2.2. PEB Exploration¶
The windows
module is able to parse the PEB of the current process or remote process.
The PEB
is accessible via process.peb
and is of type PEB
.
Note
See sample PEB exploration
2.2.1. PEB¶
- class windows.winobject.process.PEB[source]¶
The PEB (Process Environment Block) of the current process
- property apisetmap¶
The
ApiSetMap
of the process- Return type:
A subclass of
ApiSetMap
- Raise:
NotImplementedError
– Before6.2
ApiSetMap did not exist- Raise:
NotImplementedError
– Not implemented for remote process
- property commandline¶
The CommandLine of the PEB
- Type:
- property exe¶
The executable of the process, as pointed by PEB.ImageBaseAddress
- Type:
- property imagepath¶
The ImagePathName of the PEB
- Type:
- property modules¶
The loaded modules present in the PEB
- Type:
[
LoadedModule
] – List of loaded modules
2.2.2. LoadedModule¶
2.2.3. ApiSetMap¶
Note
see sample ApiSetMap
- class windows.winobject.apisetmap.ApiSetMap(base)[source]¶
The base class for the ApiSeMap (see Runtime DLL name resolution: ApiSetSchema)
- property apisetmap_dict¶
The apisetmap dll-mapping content extracted from memory as a
dict
key -> value example
:u'ext-ms-win-advapi32-encryptedfile-l1-1-1' -> u'advapi32.dll'
- property resolution_dict¶
The
dict
based onapisetmap_dict
with only the part checked byWindows
.Windows
does not care about what is after the last-
key -> value example
:u'ext-ms-win-advapi32-encryptedfile-l1-1-' -> u'advapi32.dll'
- resolve(dllname)[source]¶
The method used to resolve a DLL name using the ApiSetMap. The behavior should match the non-exported function
ntdll!ApiSetResolveToHost
- version = None¶
The version of the ApiSetMap
Note
Currently supported version for the ApiSetMap are 2/4/6
- class windows.winobject.apisetmap.ApiSetMapVersion2(base)[source]¶
Represent an ApiSetMap version-2
- version = 2¶
The version of the ApiSetMap
2.3. PEFile - Parsing loaded PE¶
2.3.1. windows.pe_parse
¶
- windows.pe_parse.GetPEFile(baseaddr, target=None, force_bitness=None)[source]¶
Returns a
PEFile
to explore a PE loaded at baseaddr in process target.- Return type:
Note
If target is
None
it refers to the current process
2.3.1.1. PEFile¶
- class windows.pe_parse.PEFile(target, baseaddr, targetedbitness, transformers)[source]¶
Represent a PE loaded in a process (current or remote)
- property export_name¶
The Name attribute of the
EXPORT_DIRECTORY
- property exports¶
The exports of the PE in a dict. Keys are ordinal (
int
) and name (str
). The values are the addresses of the exports.- type:
{(
int
orstr
) :int
}
2.3.1.2. IATEntry¶
- class windows.pe_parse.IATEntry[source]¶
Represent an entry in the IAT of a module Can be used to get resolved value and setup hook
- addr¶
int
: Address of the IAT Entry
- ord¶
int
: Ordinal of the imported function
- name¶
int
: Name of the imported function
- value¶
int
: The content (destination) of the IAT entryWarning
value is a descriptor. Setting its value will actually CHANGE THE IAT ENTRY, resulting in a segfault if no VirtualProtect have been done.
Note
- set_hook(callback, types=None)[source]¶
Setup a hook on the entry and return it. You MUST keep a reference to the hook while the hook is enabled.
- Parameters:
callback –
the hook
Note
see Hook protocol
- Return type:
Warning
This works only for PEFile with the current process as target.