forked from OpenRCE/pydbg
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsystem_dll.py
162 lines (124 loc) · 5.9 KB
/
system_dll.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#
# PyDBG
# Copyright (C) 2006 Pedram Amini <[email protected]>
#
# $Id: system_dll.py 238 2010-04-05 20:40:46Z rgovostes $
#
# This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
# License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
# version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with this program; if not, write to the Free
# Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
'''
@author: Pedram Amini
@license: GNU General Public License 2.0 or later
@contact: [email protected]
@organization: www.openrce.org
'''
from __future__ import print_function
import os.path
from .windows_h import *
# macos compatability.
try:
kernel32 = windll.kernel32
psapi = windll.psapi
except:
kernel32 = CDLL(os.path.join(os.path.dirname(__file__), "libmacdll.dylib"))
psapi = kernel32
from .pdx import *
import os
import ctypes
from ctypes import wintypes
LPSTR = POINTER(CHAR)
GetMappedFileNameA = ctypes.windll.psapi.GetMappedFileNameA
GetMappedFileNameA.argtypes = (wintypes.HANDLE, wintypes.LPVOID, LPSTR, wintypes.DWORD)
GetMappedFileNameA.restype = wintypes.BOOL
CreateFileMappingA = ctypes.windll.kernel32.CreateFileMappingA
CreateFileMappingA.argtypes = (wintypes.HANDLE, wintypes.LPVOID, wintypes.DWORD, wintypes.DWORD, wintypes.DWORD, LPSTR)
CreateFileMappingA.restype = wintypes.HANDLE
GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
GetCurrentProcess.restype = wintypes.HANDLE
OpenProcessToken = ctypes.windll.advapi32.OpenProcessToken
OpenProcessToken.argtypes = (wintypes.HANDLE, wintypes.DWORD, ctypes.POINTER(wintypes.HANDLE))
OpenProcessToken.restype = wintypes.BOOL
IsWow64Process = ctypes.windll.kernel32.IsWow64Process
IsWow64Process.argtypes = [wintypes.HANDLE, ctypes.POINTER(wintypes.BOOL)]
IsWow64Process.restype = wintypes.BOOL
GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
GetCurrentProcess.argtypes = []
GetCurrentProcess.restype = wintypes.BOOL
ReadProcessMemory = ctypes.windll.kernel32.ReadProcessMemory
ReadProcessMemory.argtypes = [HANDLE, LPVOID, LPVOID, c_size_t, POINTER(c_size_t)]
VirtualProtectEx = ctypes.windll.kernel32.VirtualProtectEx
VirtualProtectEx.argtypes = [wintypes.HANDLE, LPVOID, c_size_t, wintypes.DWORD, POINTER(wintypes.DWORD)]
VirtualProtectEx.restype = wintypes.BOOL
Module32First = ctypes.windll.kernel32.Module32First
Module32First.argtypes = (wintypes.HANDLE, POINTER(MODULEENTRY32))
Module32First.restype = wintypes.BOOL
OpenProcessToken = ctypes.windll.advapi32.OpenProcessToken
OpenProcessToken.argtypes = (wintypes.HANDLE, wintypes.DWORD, ctypes.POINTER(wintypes.HANDLE))
OpenProcessToken.restype = wintypes.BOOL
####################################################################################################################
class system_dll:
'''
System DLL descriptor object, used to keep track of loaded system DLLs and locations.
@todo: Add PE parsing support.
'''
handle = None
base = None
name = None
path = None
pe = None
size = 0
####################################################################################################################
def __init__ (self, handle, base):
'''
Given a handle and base address of the loaded DLL, determine the DLL name and size to fully initialize the
system DLL object.
@type handle: HANDLE
@param handle: Handle to the loaded DLL
@type base: DWORD
@param base: Loaded address of DLL
@raise pdx: An exception is raised on failure.
'''
self.handle = handle
self.base = base
self.name = None
self.path = None
self.pe = None
self.size = 0
# calculate the file size of the
file_size_hi = c_ulong(0)
file_size_lo = kernel32.GetFileSize(handle, byref(file_size_hi))
self.size = (file_size_hi.value << 8) + file_size_lo
# create a file mapping from the dll handle.
file_map = kernel32.CreateFileMappingA(handle, c_void_p(0), c_ulong(PAGE_READONLY), c_ulong(0), c_ulong(1), b"")
if file_map:
# map a single byte of the dll into memory so we can query for the file name.
kernel32.MapViewOfFile.restype = POINTER(c_char)
file_ptr = kernel32.MapViewOfFile(file_map, FILE_MAP_READ, 0, 0, 1)
if file_ptr:
# query for the filename of the mapped file.
filename = create_string_buffer(2048)
psapi.GetMappedFileNameA(kernel32.GetCurrentProcess(), file_ptr, filename, c_ulong(2048))
# store the full path. this is kind of ghetto, but i didn't want to mess with QueryDosDevice() etc ...
self.path = b"\\" + filename.value.split(b"\\", 3)[3]
# store the file name.
# XXX - this really shouldn't be failing. but i've seen it happen.
try:
self.name = filename.value[filename.value.rindex(os.sep)+1:]
except:
self.name = self.path
kernel32.UnmapViewOfFile(file_ptr)
kernel32.CloseHandle(file_map)
####################################################################################################################
def __del__ (self):
'''
Close the handle.
'''
kernel32.CloseHandle(self.handle)