API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 15th, 2017
440
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 9.17 KB | None | 0 0
raw download clone embed print report
  1. import ctypes
  2. from ctypes.wintypes import WORD, DWORD, LPVOID
  3. import psutil
  4. import sys
  5.  
  6. def First_scan(hit_pool, target_value):
  7.     PVOID = LPVOID
  8.     SIZE_T = ctypes.c_size_t
  9.  
  10.     # https://msdn.microsoft.com/en-us/library/aa383751#DWORD_PTR
  11.     if ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulonglong):
  12.         DWORD_PTR = ctypes.c_ulonglong
  13.     elif ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulong):
  14.         DWORD_PTR = ctypes.c_ulong
  15.  
  16.     class SYSTEM_INFO(ctypes.Structure):
  17.         """https://msdn.microsoft.com/en-us/library/ms724958"""
  18.         class _U(ctypes.Union):
  19.             class _S(ctypes.Structure):
  20.                 _fields_ = (('wProcessorArchitecture', WORD),
  21.                             ('wReserved', WORD))
  22.             _fields_ = (('dwOemId', DWORD), # obsolete
  23.                         ('_s', _S))
  24.             _anonymous_ = ('_s',)
  25.         _fields_ = (('_u', _U),
  26.                     ('dwPageSize', DWORD),
  27.                     ('lpMinimumApplicationAddress', LPVOID),
  28.                     ('lpMaximumApplicationAddress', LPVOID),
  29.                     ('dwActiveProcessorMask',   DWORD_PTR),
  30.                     ('dwNumberOfProcessors',    DWORD),
  31.                     ('dwProcessorType',         DWORD),
  32.                     ('dwAllocationGranularity', DWORD),
  33.                     ('wProcessorLevel',    WORD),
  34.                     ('wProcessorRevision', WORD))
  35.         _anonymous_ = ('_u',)
  36.  
  37.     LPSYSTEM_INFO = ctypes.POINTER(SYSTEM_INFO)
  38.  
  39.  
  40.  
  41.     Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
  42.     Kernel32.GetSystemInfo.restype = None
  43.     Kernel32.GetSystemInfo.argtypes = (LPSYSTEM_INFO,)
  44.  
  45.     sysinfo = SYSTEM_INFO()
  46.     Kernel32.GetSystemInfo(ctypes.byref(sysinfo))
  47.  
  48. ### to make sure SYSTEM_INFO() worked.
  49. ##    print(sysinfo.lpMinimumApplicationAddress)
  50. ##    print(sysinfo.lpMaximumApplicationAddress)
  51.  
  52.     # 2nd, get Open process.
  53.  
  54.  
  55.     for proc in psutil.process_iter():
  56.         if str('swtor.exe') in str(proc.name) and \
  57.            proc.memory_info().rss > 1000000000:
  58.             PID = proc.pid
  59.             print('PID:',PID)
  60.  
  61.            
  62.     PROCESS_QUERY_INFORMATION = 0x0400
  63.     PROCESS_VM_READ = 0x0010
  64.  
  65.     Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID)
  66.     print('process:', Process)
  67.  
  68.  
  69.  
  70.     # 3rd
  71.  
  72.     class MEMORY_BASIC_INFORMATION(ctypes.Structure):
  73.         """https://msdn.microsoft.com/en-us/library/aa366775"""
  74.         _fields_ = (('BaseAddress', PVOID),
  75.                     ('AllocationBase',    PVOID),
  76.                     ('AllocationProtect', DWORD),
  77.                     ('RegionSize', SIZE_T),
  78.                     ('State',   DWORD),
  79.                     ('Protect', DWORD),
  80.                     ('Type',    DWORD))
  81.  
  82.     ##PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
  83.  
  84.     mbi = MEMORY_BASIC_INFORMATION()
  85.     ##sysinfo.lpMinimumApplicationAddress
  86.  
  87.     print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \
  88.         sysinfo.lpMinimumApplicationAddress, ctypes.byref(mbi),ctypes.sizeof(mbi)))
  89.     # sysinfo.lpMinimumApplicationAddress replaced by None
  90.  
  91.     ##print('')
  92.     ##print('mbi start')
  93.     ##print('mbi.BaseAddress: ',mbi.BaseAddress)
  94.     ##print('mbi.AllocationBase: ',mbi.AllocationBase)
  95.     ##print('mbi.AllocationProtect: ',mbi.AllocationProtect)
  96.     ##print('mbi.RegionSize: ',mbi.RegionSize)
  97.     ##print('mbi.State: ',mbi.State)
  98.     ##print('mbi.Protect: ', mbi.Protect)
  99.     ##print('mbi.Type: ',mbi.Type)
  100.  
  101.  
  102.  
  103.     ReadProcessMemory = Kernel32.ReadProcessMemory
  104.  
  105.     ##
  106.     MEM_COMMIT = 0x00001000;
  107.     PAGE_READWRITE = 0x04;
  108.  
  109.     ##buffer = ctypes.c_uint()
  110.     buffer = ctypes.c_double()
  111.  
  112.     nread = SIZE_T()
  113.  
  114.     ##start = ctypes.c_void_p(mbi.BaseAddress)
  115.  
  116.     current_address = sysinfo.lpMinimumApplicationAddress
  117.     end_address = sysinfo.lpMaximumApplicationAddress
  118.  
  119.  
  120.     hit_count = 0
  121.     while current_address < end_address:
  122.         Kernel32.VirtualQueryEx(Process, \
  123.         current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
  124.        
  125.         if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
  126.             print('This region can be scanned!')
  127.             index = current_address
  128.             end = current_address + mbi.RegionSize - 7
  129.  
  130.             for i in range(index, end, 8):
  131.                 if ReadProcessMemory(Process, i, ctypes.byref(buffer), \
  132.                                      ctypes.sizeof(buffer), ctypes.byref(nread)):
  133.  
  134.                         if buffer.value < (target_value + 1) and \
  135.                         buffer.value > (target_value - 1):
  136.  
  137.                             print(buffer, buffer.value, i, 'hit:', hit_count)
  138.                             hit_count += 1
  139.                             hit_pool.append(i)
  140.  
  141.                            
  142.                 else:
  143.                     print('else happend.')
  144.                     input('program pause because ReadProcessMemory happened.')
  145.                
  146.         current_address += mbi.RegionSize
  147.  
  148.     print(hit_count)
  149.    
  150.     return hit_pool
  151.  
  152.  
  153.  
  154.  
  155.  
  156.  
  157.  
  158. def Second_scan(hit_pool, target_value):
  159.     PVOID = LPVOID
  160.     SIZE_T = ctypes.c_size_t
  161.  
  162.     # https://msdn.microsoft.com/en-us/library/aa383751#DWORD_PTR
  163.     if ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulonglong):
  164.         DWORD_PTR = ctypes.c_ulonglong
  165.     elif ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulong):
  166.         DWORD_PTR = ctypes.c_ulong
  167.  
  168.     class SYSTEM_INFO(ctypes.Structure):
  169.         """https://msdn.microsoft.com/en-us/library/ms724958"""
  170.         class _U(ctypes.Union):
  171.             class _S(ctypes.Structure):
  172.                 _fields_ = (('wProcessorArchitecture', WORD),
  173.                             ('wReserved', WORD))
  174.             _fields_ = (('dwOemId', DWORD), # obsolete
  175.                         ('_s', _S))
  176.             _anonymous_ = ('_s',)
  177.         _fields_ = (('_u', _U),
  178.                     ('dwPageSize', DWORD),
  179.                     ('lpMinimumApplicationAddress', LPVOID),
  180.                     ('lpMaximumApplicationAddress', LPVOID),
  181.                     ('dwActiveProcessorMask',   DWORD_PTR),
  182.                     ('dwNumberOfProcessors',    DWORD),
  183.                     ('dwProcessorType',         DWORD),
  184.                     ('dwAllocationGranularity', DWORD),
  185.                     ('wProcessorLevel',    WORD),
  186.                     ('wProcessorRevision', WORD))
  187.         _anonymous_ = ('_u',)
  188.  
  189.     LPSYSTEM_INFO = ctypes.POINTER(SYSTEM_INFO)
  190.  
  191.  
  192.  
  193.     Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
  194.     Kernel32.GetSystemInfo.restype = None
  195.     Kernel32.GetSystemInfo.argtypes = (LPSYSTEM_INFO,)
  196.  
  197.     sysinfo = SYSTEM_INFO()
  198.     Kernel32.GetSystemInfo(ctypes.byref(sysinfo))
  199.  
  200.     for proc in psutil.process_iter():
  201.         if str('swtor.exe') in str(proc.name) and \
  202.            proc.memory_info().rss > 1000000000:
  203.             PID = proc.pid
  204.             print('PID:',PID)
  205.  
  206.            
  207.     PROCESS_QUERY_INFORMATION = 0x0400
  208.     PROCESS_VM_READ = 0x0010
  209.  
  210.     Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID)
  211.     print('process:', Process)
  212.  
  213.  
  214.  
  215.     # 3rd
  216.  
  217.     class MEMORY_BASIC_INFORMATION(ctypes.Structure):
  218.         """https://msdn.microsoft.com/en-us/library/aa366775"""
  219.         _fields_ = (('BaseAddress', PVOID),
  220.                     ('AllocationBase',    PVOID),
  221.                     ('AllocationProtect', DWORD),
  222.                     ('RegionSize', SIZE_T),
  223.                     ('State',   DWORD),
  224.                     ('Protect', DWORD),
  225.                     ('Type',    DWORD))
  226.  
  227.  
  228.     mbi = MEMORY_BASIC_INFORMATION()
  229.  
  230.  
  231.     print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \
  232.         sysinfo.lpMinimumApplicationAddress, ctypes.byref(mbi),ctypes.sizeof(mbi)))
  233.  
  234.  
  235.  
  236.     ReadProcessMemory = Kernel32.ReadProcessMemory
  237.  
  238.  
  239.     MEM_COMMIT = 0x00001000;
  240.     PAGE_READWRITE = 0x04;
  241.  
  242.  
  243.     buffer = ctypes.c_double()
  244.  
  245.     nread = SIZE_T()
  246.  
  247.  
  248.     hit_count = 0
  249.     hit_pool_2 = list()
  250.  
  251.     for i in hit_pool:
  252.         Kernel32.VirtualQueryEx(Process, \
  253.         i, ctypes.byref(mbi),ctypes.sizeof(mbi))
  254.        
  255.         if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
  256.             print('This region can be scanned!')
  257.  
  258.             if ReadProcessMemory(Process, i, ctypes.byref(buffer), \
  259.                                  ctypes.sizeof(buffer), ctypes.byref(nread)):
  260.                 if buffer.value < (target_value + 1) and \
  261.                 buffer.value > (target_value - 1):
  262.  
  263.                     print(i,'OVERKILL!!!')
  264.                     hit_pool_2.append(i)
  265.  
  266.                            
  267.             else:
  268.                 print('else happend.')
  269.                 input('program pause because ReadProcessMemory happened.')
  270.         else:
  271.             '2nd run VirtualQueryEx error'
  272.    
  273.     hit_pool = hit_pool_2
  274.     print('Hit_pool', hit_pool)
  275.     return hit_pool_2
  276.  
  277.  
  278.  
  279.  
  280. target_value = int(input('new scan value'))
  281.  
  282. hit_pool = list()
  283.  
  284. hit_pool = First_scan(hit_pool, target_value)
  285. print(hit_pool)
  286.  
  287.  
  288. while target_value != -999:
  289.     target_value = int(input('new scan value'))
  290.     hit_pool = Second_scan(hit_pool, target_value)
  291.  
  292. print('done.')
  293.  
  294. ##print(hit_pool)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!