Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from ctypes import create_string_buffer, c_ulong, byref, windll
- from subprocess import check_output
- import psutil, struct, win32security, win32api, win32ui, win32process, win32con
- PROCNAME = "Calculator.exe"
- for proc in psutil.process_iter():
- if proc.name() == PROCNAME:
- pid = proc.pid
- print(pid)
- hwnd = 1
- priv_flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY
- hToken = win32security.OpenProcessToken (win32api.GetCurrentProcess(),
- priv_flags)
- # enable "debug process"
- privilege_id = win32security.LookupPrivilegeValue(None,
- win32security.SE_DEBUG_NAME)
- old_privs = win32security.AdjustTokenPrivileges(hToken, 0,
- [(privilege_id,
- win32security.SE_PRIVILEGE_ENABLED)])
- # Open the process, and query it's filename
- pshandle = win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS, False,
- pid)
- bytes= 1000
- address=0x1
- ReadProcessMemory = windll.kernel32.ReadProcessMemory
- buffer = create_string_buffer(bytes)
- bytesRead = c_ulong(0)
- bufferSize = bytes
- ReadProcessMemory(pshandle.handle, address, buffer, bufferSize, byref(bytesRead))
- string = buffer.raw
- print(string)
- try:
- exename = win32process.GetModuleFileNameEx(pshandle, 0)
- except pywintypes.error:
- # insert code to call GetProcessImageName if we can find it..
- # returning None from here will hopefully break all following code
- exename = None
- finally:
- # clean up
- win32api.CloseHandle(pshandle)
- win32api.CloseHandle(hToken)
- print(exename)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
