Python win32process.GetModuleFileNameEx() Examples
The following are 6
code examples of win32process.GetModuleFileNameEx().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
win32process
, or try the search function
.
.
Example #1
| Source File: windows-privesc-check.py From WHP with Do What The F*ck You Want To Public License | 5 votes |
|
def check_processes():
pids = win32process.EnumProcesses()
# TODO also check out WMI. It might not be running, but it could help if it is:
# http://groups.google.com/group/comp.lang.python/browse_thread/thread/1f50065064173ccb
# TODO process explorer can find quite a lot more information than this script. This script has several problems:
# TODO I can't open 64-bit processes for a 32-bit app. I get this error:
# ERROR: can't open 6100: 299 EnumProcessModules, Only part of a ReadProcessMemory
# or WriteProcessMemory request was completed.
# TODO I can't seem to get the name of elevated processes (user running as me, but with admin privs)
# TODO I can't get details of certain processes runnign as SYSTEM on xp (e.g. pid 4 "system", csrss.exe)
# TODO should be able to find name (and threads?) for all processes. Not necessarily path.
for pid in sorted(pids):
# TODO there's a security descriptor for each process accessible via GetSecurityInfo according to http://msdn.microsoft.com/en-us/library/ms684880%28VS.85%29.aspx
# TODO could we connect with PROCESS_QUERY_LIMITED_INFORMATION instead on Vista+
try:
ph = win32api.OpenProcess(win32con.PROCESS_VM_READ | win32con.PROCESS_QUERY_INFORMATION , False, pid)
except:
# print "ERROR: can't connected to PID " + str(pid)
sys.stdout.write("?")
continue
else:
user = "unknown\\unknown"
try:
tokenh = win32security.OpenProcessToken(ph, win32con.TOKEN_QUERY)
except:
pass
else:
sidObj, intVal = win32security.GetTokenInformation(tokenh, TokenUser)
#source = win32security.GetTokenInformation(tokenh, TokenSource)
if sidObj:
accountName, domainName, accountTypeInt = win32security.LookupAccountSid(remote_server, sidObj)
# print "pid=%d accountname=%s domainname=%s wow64=%s" % (pid, accountName, domainName, win32process.IsWow64Process(ph))
user = domainName + "\\" + accountName
# print "PID %d is running as %s" % (pid, user)
sys.stdout.write(".")
try:
mhs = win32process.EnumProcessModules(ph)
# print mhs
except:
continue
mhs = list(mhs)
exe = win32process.GetModuleFileNameEx(ph, mhs.pop(0))
weak_perms = check_weak_write_perms(exe, 'file')
# print_weak_perms("PID " + str(pid) + " running as " + user + ":", weak_perms)
if weak_perms:
save_issue("WPC016", "weak_perms_exes", weak_perms)
sys.stdout.write("!")
for mh in mhs:
# print "PID %d (%s) has loaded module: %s" % (pid, exe, win32process.GetModuleFileNameEx(ph, mh))
dll = win32process.GetModuleFileNameEx(ph, mh)
weak_perms = check_weak_write_perms(dll, 'file')
# print_weak_perms("DLL used by PID " + str(pid) + " running as " + user + " (" + exe + "):", weak_perms)
if weak_perms:
save_issue("WPC016", "weak_perms_dlls", weak_perms)
sys.stdout.write("!")
print
Example #2
| Source File: debugger.py From peach with Mozilla Public License 2.0 | 5 votes |
|
def GetProcessIdByName(procname):
"""
Try and get pid for a process by name.
"""
ourPid = -1
procname = procname.lower()
try:
ourPid = win32api.GetCurrentProcessId()
except:
pass
pids = win32process.EnumProcesses()
for pid in pids:
if ourPid == pid:
continue
try:
hPid = win32api.OpenProcess(win32con.PROCESS_QUERY_INFORMATION | win32con.PROCESS_VM_READ, 0, pid)
try:
mids = win32process.EnumProcessModules(hPid)
for mid in mids:
name = str(win32process.GetModuleFileNameEx(hPid, mid))
if name.lower().find(procname) != -1:
return pid
finally:
win32api.CloseHandle(hPid)
except:
pass
return None
Example #3
| Source File: logwriter.py From darkc0de-old-stuff with GNU General Public License v3.0 | 5 votes |
|
def GetProcessNameFromHwnd(self, hwnd): '''Acquire the process name from the window handle for use in the log filename. ''' threadpid, procpid = win32process.GetWindowThreadProcessId(hwnd) # PROCESS_QUERY_INFORMATION (0x0400) or PROCESS_VM_READ (0x0010) or PROCESS_ALL_ACCESS (0x1F0FFF) mypyproc = win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS, False, procpid) procname = win32process.GetModuleFileNameEx(mypyproc, 0) return procname
Example #4
| Source File: pykill.py From BitTorrent with GNU General Public License v3.0 | 5 votes |
|
def kill_process(name):
for pid in win32process.EnumProcesses():
# do try not to kill yourself
if pid == win32api.GetCurrentProcessId():
continue
try:
p = win32api.OpenProcess(win32con.PROCESS_QUERY_INFORMATION
| win32con.PROCESS_VM_READ
| win32con.PROCESS_TERMINATE,
False, pid)
except:
continue
if not p:
continue
try:
hl = win32process.EnumProcessModules(p)
except:
win32api.CloseHandle(p)
continue
h = hl[0]
pname = win32process.GetModuleFileNameEx(p, h)
root, pname = os.path.split(pname)
#print name, pname
if compare(name, pname):
#print "KILL", pname
win32api.TerminateProcess(p, 0)
win32api.CloseHandle(p)
return True
win32api.CloseHandle(p)
return False
Example #5
| Source File: copy_dlls.py From rekall with GNU General Public License v2.0 | 4 votes |
|
def EnumMissingModules():
"""Enumerate all modules which match the patterns MODULE_PATTERNS.
PyInstaller often fails to locate all dlls which are required at
runtime. We import all the client modules here, we simply introdpect
all the modules we have loaded in our current running process, and
all the ones matching the patterns are copied into the client
package.
Yields:
a source file for a linked dll.
"""
module_handle = ctypes.c_ulong()
count = ctypes.c_ulong()
process_handle = ctypes.windll.kernel32.OpenProcess(
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, 0, os.getpid())
ctypes.windll.psapi.EnumProcessModules(
process_handle, ctypes.byref(module_handle), ctypes.sizeof(module_handle),
ctypes. byref(count))
# The size of a handle is pointer size (i.e. 64 bit on amd64 and 32 bit on
# i386).
if sys.maxsize > 2 ** 32:
handle_type = ctypes.c_ulonglong
dlls_arch = "x64"
else:
handle_type = ctypes.c_ulong
dlls_arch = "x86"
module_list = (handle_type * (count.value // ctypes.sizeof(handle_type)))()
ctypes.windll.psapi.EnumProcessModulesEx(
process_handle, ctypes.byref(module_list), ctypes.sizeof(module_list),
ctypes.byref(count), 2)
for x in module_list:
module_filename = win32process.GetModuleFileNameEx(process_handle, x).lower()
# PyInstaller is pretty bad in finding all the imported pyd files, and dlls.
if ("winsxs" in module_filename or "site-packages" in module_filename or
module_filename.endswith(".pyd") or "msvc" in module_filename or
"\\dlls" in module_filename):
yield module_filename
else:
print("Skipping %s" % module_filename)
# See issue https://github.com/google/rekall/issues/335
# We need to copy all these DLLs into the target as well.
ucrt_dir = os.path.join(UCRT_DIR, dlls_arch)
for filename in os.listdir(ucrt_dir):
if filename.lower().endswith(".dll"):
yield os.path.join(ucrt_dir, filename)
Example #6
| Source File: windowsprivcheck.py From LHF with GNU General Public License v3.0 | 4 votes |
|
def check_processes():
pids = win32process.EnumProcesses()
# TODO also check out WMI. It might not be running, but it could help if it is:
# http://groups.google.com/group/comp.lang.python/browse_thread/thread/1f50065064173ccb
# TODO process explorer can find quite a lot more information than this script. This script has several problems:
# TODO I can't open 64-bit processes for a 32-bit app. I get this error:
# ERROR: can't open 6100: 299 EnumProcessModules, Only part of a ReadProcessMemory
# or WriteProcessMemory request was completed.
# TODO I can't seem to get the name of elevated processes (user running as me, but with admin privs)
# TODO I can't get details of certain processes runnign as SYSTEM on xp (e.g. pid 4 "system", csrss.exe)
# TODO should be able to find name (and threads?) for all processes. Not necessarily path.
for pid in sorted(pids):
# TODO there's a security descriptor for each process accessible via GetSecurityInfo according to http://msdn.microsoft.com/en-us/library/ms684880%28VS.85%29.aspx
# TODO could we connect with PROCESS_QUERY_LIMITED_INFORMATION instead on Vista+
try:
ph = win32api.OpenProcess(win32con.PROCESS_VM_READ | win32con.PROCESS_QUERY_INFORMATION , False, pid)
except:
# print "ERROR: can't connected to PID " + str(pid)
sys.stdout.write("?")
continue
else:
user = "unknown\\unknown"
try:
tokenh = win32security.OpenProcessToken(ph, win32con.TOKEN_QUERY)
except:
pass
else:
sidObj, intVal = win32security.GetTokenInformation(tokenh, TokenUser)
#source = win32security.GetTokenInformation(tokenh, TokenSource)
if sidObj:
accountName, domainName, accountTypeInt = win32security.LookupAccountSid(remote_server, sidObj)
# print "pid=%d accountname=%s domainname=%s wow64=%s" % (pid, accountName, domainName, win32process.IsWow64Process(ph))
user = domainName + "\\" + accountName
# print "PID %d is running as %s" % (pid, user)
sys.stdout.write(".")
try:
mhs = win32process.EnumProcessModules(ph)
# print mhs
except:
continue
mhs = list(mhs)
exe = win32process.GetModuleFileNameEx(ph, mhs.pop(0))
weak_perms = check_weak_write_perms(exe, 'file')
# print_weak_perms("PID " + str(pid) + " running as " + user + ":", weak_perms)
if weak_perms:
save_issue("WPC016", "weak_perms_exes", weak_perms)
sys.stdout.write("!")
for mh in mhs:
# print "PID %d (%s) has loaded module: %s" % (pid, exe, win32process.GetModuleFileNameEx(ph, mh))
dll = win32process.GetModuleFileNameEx(ph, mh)
weak_perms = check_weak_write_perms(dll, 'file')
# print_weak_perms("DLL used by PID " + str(pid) + " running as " + user + " (" + exe + "):", weak_perms)
if weak_perms:
save_issue("WPC016", "weak_perms_dlls", weak_perms)
sys.stdout.write("!")
print
