7. windows.utils – Windows Utilities

7.1. Context Managers

windows.utils provides some context managers wrapping standard contextual operations like VirtualProtect or SysWow Redirection

7.1.1. VirtualProtected

class windows.utils.VirtualProtected(addr, size, new_protect)[source]

A context manager usable like VirtualProtect that will restore the old protection at exit

with utils.VirtualProtected(IATentry.addr, ctypes.sizeof(PVOID), gdef.PAGE_EXECUTE_READWRITE):
    IATentry.value = 0x42424242

7.1.2. DisableWow64FsRedirection

class windows.utils.DisableWow64FsRedirection[source]

A context manager that disable the SysWow64 Filesystem Redirection

if is_process_32_bits:
    def pop_calc_64():
        with windows.utils.DisableWow64FsRedirection():
            return windows.utils.create_process(r"C:\Windows\system32\calc.exe", True)

7.2. Helper functions

windows.utils.sprint(struct, name='struct', hexa=True)[source]

Print recursively the content of a ctypes structure

Example:
>>> cert
<Certificate "YOLO2" serial="6f 1d 3e 7d d9 77 59 a9 4c 1c 53 dc 80 db 0c fe">
>>> windows.utils.sprint(cert)
struct.dwCertEncodingType -> 0x1L
struct.pbCertEncoded<deref> -> 0x30
struct.cbCertEncoded -> 0x1a7L
struct.pCertInfo<deref>.dwVersion -> 0x2L
struct.pCertInfo<deref>.SerialNumber.cbData -> 0x10L
struct.pCertInfo<deref>.SerialNumber.pbData<deref> -> 0xfe
struct.pCertInfo<deref>.SignatureAlgorithm.pszObjId -> '1.2.840.113549.1.1.5'
struct.pCertInfo<deref>.SignatureAlgorithm.Parameters.cbData -> 0x2L
struct.pCertInfo<deref>.SignatureAlgorithm.Parameters.pbData<deref> -> 0x5
struct.pCertInfo<deref>.Issuer.cbData -> 0x12L
struct.pCertInfo<deref>.Issuer.pbData<deref> -> 0x30
struct.pCertInfo<deref>.NotBefore.dwLowDateTime -> 0x718ddc00L
struct.pCertInfo<deref>.NotBefore.dwHighDateTime -> 0x1d249bbL
struct.pCertInfo<deref>.NotAfter.dwLowDateTime -> 0x34ef0c00L
struct.pCertInfo<deref>.NotAfter.dwHighDateTime -> 0x1d368bfL
...
windows.utils.enable_privilege(lpszPrivilege, bEnablePrivilege)[source]

Enable or disable a privilege:

enable_privilege(SE_DEBUG_NAME, True)
windows.utils.check_is_elevated()[source]

Return True if process is Admin

windows.utils.check_debug()[source]

Check that kernel is in debug mode (beware of NOUMEX):

https://msdn.microsoft.com/en-us/library/windows/hardware/ff556253(v=vs.85).aspx#_______noumex______

windows.utils.create_process(path, args=None, dwCreationFlags=0, show_windows=True, machine=None)[source]

A convenient wrapper arround windows.winproxy.CreateProcessW() ..note:

The machine param only works starting at vista and should be used on arm64 computer

windows.utils.create_console()[source]

Create a new console displaying STDOUT. Useful in injection of GUI process

windows.utils.pop_shell(locs=None)[source]

Pop a console with an InterativeConsole

windows.utils.create_file_from_handle(handle, mode='r')[source]

Return a Python file around a Windows HANDLE

windows.utils.get_handle_from_file(f)[source]

Get the Windows HANDLE of a python file

windows.utils.get_short_path(path)[source]

Return the short path form for path

Raise:

WinproxyError if path does not exists

Parameters:

path (str | unicode) – a valid Windows path

Returns:

str | unicode – same type as path parameter

windows.utils.get_long_path(path)[source]

Return the long path form for path.

Raise:

WinproxyError if path does not exists

Parameters:

path (str | unicode) – a valid Windows path

Returns:

str | unicode – same type as path parameter