2.1. Processes and Threads

2.1.1. CurrentProcess

Note

See sample windows.current_process

class windows.winobject.process.CurrentProcess[source]

Bases: windows.winobject.process.Process

The current process

allocated_memory(**kwds)

ContextManager to allocate memory and free it

Type:int – the address of the allocated memory
bitness

The bitness of the process

Type:int – 32 or 64
create_thread(lpStartAddress, lpParameter, dwCreationFlags=0)[source]

Create a new thread

Return type:WinThread or DeadThread
execute(code, parameter=0)[source]

Execute native code code in the current thread.

Return type:int the return value of the native code
exit(code=0)[source]

Exit the process

exit_code

The exit code of the process : STILL_ACTIVE means the process is not dead

Type:int
get_mapped_filename(addr)

The filename mapped at address addr or None

Return type:unicode or None
handle

An handle on the object

Type:

HANDLE

Note

The handle is automaticaly closed when the object is destroyed
is_exit

True if the process is terminated

Type:bool
is_wow_64

True if the process is a SysWow64 process (32bit process on 64bits system).

Type:bool
load_library(dll_path)[source]

Load the library in current process

Return type:LoadedModule
memory_state()

Yield the memory information for the whole address space of the process

Yield:MEMORY_BASIC_INFORMATION
open_token(flags=MAXIMUM_ALLOWED(0x2000000))

Open the process Token

Returns:Token
peb

The Process Environment Block of the current process

Type:PEB
peb_syswow

The 64bits PEB of a SysWow64 process

Type:PEB
pid

Process ID

Type:int
ppid

Parent Process ID

Type:int
query_memory(addr)

Query the memory informations about page at addr

Return type:MEMORY_BASIC_INFORMATION
read_byte(addr)

Read a CHAR at addr

read_dword(addr)

Read a DWORD at addr

read_memory(addr, size)[source]

Read size from addr

Returns:The data read
Return type:str
read_ptr(addr)

Read a PTR at addr

read_qword(addr)

Read a ULONG64 at addr

read_short(addr)

Read a SHORT at addr

read_string(addr)[source]

Read an ascii string at addr

read_wstring(addr)[source]

Read a windows UTF16 string at addr

threads

The threads of the process

Type:[WinThread] – A list of Thread
time_info

The time information of the process (creation, kernel/user time, exit time)

Type:TimeInfo
token

The process Token

virtual_alloc(size, prot=PAGE_EXECUTE_READWRITE(0x40))[source]

Allocate memory in the process

Returns:The address of the allocated memory
Return type:int
virtual_free(addr)[source]

Free memory in the process by virtual_alloc

virtual_protect(addr, size, protect, old_protect=None)

Change the access right of one or more page of the process

virtual_protected(**kwds)

A context manager for local virtual_protect (old Protection are restored at exit)

wait(timeout=INFINITE(0xffffffff))[source]

Raise ValueError to prevent deadlock :D

write_byte(addr, byte)

write a byte at addr

write_dword(addr, dword)

write a dword at addr

write_memory(addr, data)[source]

Write data at addr

write_ptr(addr, value)

Write a PTR at addr

write_qword(addr, qword)

write a qword at addr

write_short(addr, word)

write a word at addr

2.1.2. CurrentThread

class windows.winobject.process.CurrentThread[source]

Bases: windows.winobject.process.Thread

The current thread

exit(code=0)[source]

Exit the thread

handle

An handle on the object

Type:

HANDLE

Note

The handle is automaticaly closed when the object is destroyed
open_token(flags=MAXIMUM_ALLOWED(0x2000000), as_self=False)

Open the Thread token if any (Impersonation) else return None. as_self tells which security context should be used

Returns:Token

Note

see https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-openthreadtoken

owner

The current process

Type:CurrentProcess
set_token(token)

Set the token for the thread (impersonation). Setting the token to None revert the impersonation

tid

Thread ID

Type:int
token

The thread Token

Getter:open_token()
Setter:set_token()
wait(timeout=INFINITE(0xffffffff))[source]

Raise ValueError to prevent deadlock :D

2.1.3. WinProcess

Note

See sample Remote process : WinProcess

class windows.winobject.process.WinProcess(pid=None, handle=None, name=None, ppid=None)[source]

Bases: windows.winobject.process.Process

A Process on the system

allocated_memory(**kwds)

ContextManager to allocate memory and free it

Type:int – the address of the allocated memory
bitness

The bitness of the process

Returns:int – 32 or 64
create_thread(addr, param)[source]

Create a remote thread

Return type:WinThread or DeadThread
execute(code, parameter=0)

Execute some native code in the context of the process

Returns:The thread executing the code
Return type:WinThread or DeadThread
execute_python(pycode)[source]

Execute Python code into the remote process.

This function waits for the remote process to end and raises an exception if the remote thread raised one

execute_python_unsafe(pycode)[source]

Execute Python code into the remote process.

Return type:
rtype:WinThread or DeadThread : The thread executing the python code
exit(code=0)[source]

Exit the process

exit_code

The exit code of the process : STILL_ACTIVE means the process is not dead

Type:int
get_mapped_filename(addr)

The filename mapped at address addr or None

Return type:unicode or None
handle

An handle on the object

Type:

HANDLE

Note

The handle is automaticaly closed when the object is destroyed
is_exit

True if the process is terminated

Type:bool
is_wow_64

True if the process is a SysWow64 process (32bit process on 64bits system).

Type:bool
load_library(dll_path)[source]

Load the library in remote process

Return type:LoadedModule
memory_state()

Yield the memory information for the whole address space of the process

Yield:MEMORY_BASIC_INFORMATION
name

Name of the process

Type:str
open_token(flags=MAXIMUM_ALLOWED(0x2000000))

Open the process Token

Returns:Token
peb

The PEB of the process (see remotectypes)

Type:PEB
peb_addr

The address of the PEB

Type:int
peb_syswow

The 64bits PEB of a SysWow64 process

Type:PEB
pid

Process ID

Type:int
ppid

Parent Process ID

Type:int
query_memory(addr)

Query the memory informations about page at addr

Return type:MEMORY_BASIC_INFORMATION
read_byte(addr)

Read a CHAR at addr

read_dword(addr)

Read a DWORD at addr

read_memory(addr, size)[source]

Read size from addr

Returns:The data read
Return type:str
read_memory_into(addr, struct)[source]

Read a ctypes struct from addr

Returns:struct
read_ptr(addr)

Read a PTR at addr

read_qword(addr)

Read a ULONG64 at addr

read_short(addr)

Read a SHORT at addr

read_string(addr)

Read an ascii string at addr

read_wstring(addr)

Read a windows UTF16 string at addr

threads

The threads of the process

Type:[WinThread] – A list of Thread
time_info

The time information of the process (creation, kernel/user time, exit time)

Type:TimeInfo
token

The process Token

virtual_alloc(size, prot=PAGE_EXECUTE_READWRITE(0x40), addr=None)[source]

Allocate memory in the process

Returns:The address of the allocated memory
Return type:int
virtual_free(addr)[source]

Free memory in the process by virtual_alloc

virtual_protect(addr, size, protect, old_protect=None)

Change the access right of one or more page of the process

virtual_protected(**kwds)

A context manager for local virtual_protect (old Protection are restored at exit)

wait(timeout=INFINITE(0xffffffff))

Wait for the object

write_byte(addr, byte)

write a byte at addr

write_dword(addr, dword)

write a dword at addr

write_memory(addr, data)[source]

Write data at addr

write_ptr(addr, value)

Write a PTR at addr

write_qword(addr, qword)

write a qword at addr

write_short(addr, word)

write a word at addr

2.1.4. WinThread

class windows.winobject.process.WinThread(tid=None, handle=None, owner_pid=None, owner=None)[source]

Bases: windows.winobject.process.Thread

Represent a thread

context

The context of the thread, type depend of the target process.

Type:windows.exception.ECONTEXT32 or windows.exception.ECONTEXT64 or windows.exception.ECONTEXTWOW64
context_syswow

The 64 bits context of a syswow thread.

Type:windows.exception.ECONTEXT64
exit(code=0)[source]

Exit the thread

exit_code

The exit code of the thread : STILL_ACTIVE means the process is not dead

Type:int
handle

An handle on the object

Type:

HANDLE

Note

The handle is automaticaly closed when the object is destroyed
is_exit

True if the thread is terminated

Type:bool
open_token(flags=MAXIMUM_ALLOWED(0x2000000), as_self=False)

Open the Thread token if any (Impersonation) else return None. as_self tells which security context should be used

Returns:Token

Note

see https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-openthreadtoken

owner

The Process owning the thread

Type:WinProcess
resume()[source]

Resume the thread

set_context(context)[source]

Set the thread’s context to context

set_syswow_context(context)[source]

Set a syswow thread’s 64 context to context

set_token(token)

Set the token for the thread (impersonation). Setting the token to None revert the impersonation

start_address

The start address of the thread

Type:int
suspend()[source]

Suspend the thread

teb_base

The address of the thread’s TEB

Type:int
tid

Thread ID

Type:int
token

The thread Token

Getter:open_token()
Setter:set_token()
wait(timeout=INFINITE(0xffffffff))

Wait for the object

class windows.winobject.process.DeadThread(handle, tid=None)[source]

Bases: windows.utils.pythonutils.AutoHandle

An already dead thread (returned only by API returning a new thread if thread die before being returned)

exit_code

The exit code of the thread : STILL_ACTIVE means the process is not dead

Type:int
handle

An handle on the object

Type:

HANDLE

Note

The handle is automaticaly closed when the object is destroyed
is_exit

True if the thread is terminated

Type:bool
wait(timeout=INFINITE(0xffffffff))

Wait for the object

2.2. PEB Exploration

The windows module is able to parse the PEB of the current process or remote process. The PEB is accessible via process.peb and is of type PEB.

Note

See sample PEB exploration

2.2.1. PEB

class windows.winobject.process.PEB[source]

The PEB (Process Environment Block) of the current process

apisetmap

The ApiSetMap of the process

Return type:A subclass of ApiSetMap
Raise:NotImplementedError – Before 6.2 ApiSetMap did not exist
Raise:NotImplementedError – Not implemented for remote process
commandline

The CommandLine of the PEB

Type:LSA_UNICODE_STRING
exe

The executable of the process, as pointed by PEB.ImageBaseAddress

Type:windows.pe_parse.PEFile
imagepath

The ImagePathName of the PEB

Type:LSA_UNICODE_STRING
modules

The loaded modules present in the PEB

Type:[LoadedModule] – List of loaded modules

2.2.2. LoadedModule

class windows.winobject.process.LoadedModule[source]

An entry in the PEB Ldr list

baseaddr

Base address of the module

Type:int
fullname

Full name of the module (path)

Type:str
name

Name of the module

Type:str
pe

A PE representation of the module

Type:windows.pe_parse.PEFile

2.2.3. ApiSetMap

Note

see sample ApiSetMap

class windows.winobject.apisetmap.ApiSetMap(base)[source]

The base class for the ApiSeMap (see Runtime DLL name resolution: ApiSetSchema)

apisetmap_dict

The apisetmap dll-mapping content extracted from memory as a dict

key -> value example:

u'ext-ms-win-advapi32-encryptedfile-l1-1-1' -> u'advapi32.dll'
resolution_dict

The dict based on apisetmap_dict with only the part checked by Windows.

Windows does not care about what is after the last -

key -> value example:

u'ext-ms-win-advapi32-encryptedfile-l1-1-' -> u'advapi32.dll'
resolve(dllname)[source]

The method used to resolve a DLL name using the ApiSetMap. The behavior should match the non-exported function ntdll!ApiSetResolveToHost

version = None

The version of the ApiSetMap

Note

Currently supported version for the ApiSetMap are 2/4/6

class windows.winobject.apisetmap.ApiSetMapVersion2(base)[source]

Represent an ApiSetMap version-2

version = 2

The version of the ApiSetMap

class windows.winobject.apisetmap.ApiSetMapVersion4(base)[source]

Represent an ApiSetMap version-4

version = 4

The version of the ApiSetMap

class windows.winobject.apisetmap.ApiSetMapVersion6(base)[source]

Represent an ApiSetMap version-6

version = 6

The version of the ApiSetMap

2.3. PEFile - Parsing loaded PE

2.3.1. windows.pe_parse

windows.pe_parse.GetPEFile(baseaddr, target=None, force_bitness=None)[source]

Returns a PEFile to explore a PE loaded at baseaddr in process target.

Return type:PEFile

Note

If target is None it refers to the current process

2.3.1.1. PEFile

class windows.pe_parse.PEFile(target, baseaddr, targetedbitness, transformers)[source]

Represent a PE loaded in a process (current or remote)

export_name

The Name attribute of the EXPORT_DIRECTORY

exports

The exports of the PE in a dict. Keys are ordinal (int) and name (str). The values are the addresses of the exports.

type:{(int or str) : int}
imports

The imports of the PE in a dict. Keys are the names of DLL to import from and values are list of IATEntry

type:{str : [IATEntry]}

2.3.1.2. IATEntry

class windows.pe_parse.IATEntry[source]

Represent an entry in the IAT of a module Can be used to get resolved value and setup hook

addr

int : Address of the IAT Entry

ord

int : Ordinal of the imported function

name

int : Name of the imported function

value

int : The content (destination) of the IAT entry

Warning

value is a descriptor. Setting its value will actually CHANGE THE IAT ENTRY, resulting in a segfault if no VirtualProtect have been done.

Note

See: windows.utils.VirtualProtected

remove_hook()[source]

Remove the hook on the entry

set_hook(callback, types=None)[source]

Setup a hook on the entry and return it. You MUST keep a reference to the hook while the hook is enabled.

Parameters:callback

the hook

Note

see Hook protocol
Return type:windows.hooks.IATHook

Warning

This works only for PEFile with the current process as target.