Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import ctypes
- from ctypes.wintypes import WORD, DWORD, LPVOID
- import psutil
- import sys
- def First_scan(hit_pool, target_value):
- PVOID = LPVOID
- SIZE_T = ctypes.c_size_t
- # https://msdn.microsoft.com/en-us/library/aa383751#DWORD_PTR
- if ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulonglong):
- DWORD_PTR = ctypes.c_ulonglong
- elif ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulong):
- DWORD_PTR = ctypes.c_ulong
- class SYSTEM_INFO(ctypes.Structure):
- """https://msdn.microsoft.com/en-us/library/ms724958"""
- class _U(ctypes.Union):
- class _S(ctypes.Structure):
- _fields_ = (('wProcessorArchitecture', WORD),
- ('wReserved', WORD))
- _fields_ = (('dwOemId', DWORD), # obsolete
- ('_s', _S))
- _anonymous_ = ('_s',)
- _fields_ = (('_u', _U),
- ('dwPageSize', DWORD),
- ('lpMinimumApplicationAddress', LPVOID),
- ('lpMaximumApplicationAddress', LPVOID),
- ('dwActiveProcessorMask', DWORD_PTR),
- ('dwNumberOfProcessors', DWORD),
- ('dwProcessorType', DWORD),
- ('dwAllocationGranularity', DWORD),
- ('wProcessorLevel', WORD),
- ('wProcessorRevision', WORD))
- _anonymous_ = ('_u',)
- LPSYSTEM_INFO = ctypes.POINTER(SYSTEM_INFO)
- Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
- Kernel32.GetSystemInfo.restype = None
- Kernel32.GetSystemInfo.argtypes = (LPSYSTEM_INFO,)
- sysinfo = SYSTEM_INFO()
- Kernel32.GetSystemInfo(ctypes.byref(sysinfo))
- ### to make sure SYSTEM_INFO() worked.
- ## print(sysinfo.lpMinimumApplicationAddress)
- ## print(sysinfo.lpMaximumApplicationAddress)
- # 2nd, get Open process.
- for proc in psutil.process_iter():
- if str('swtor.exe') in str(proc.name) and \
- proc.memory_info().rss > 1000000000:
- PID = proc.pid
- print('PID:',PID)
- PROCESS_QUERY_INFORMATION = 0x0400
- PROCESS_VM_READ = 0x0010
- Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID)
- print('process:', Process)
- # 3rd
- class MEMORY_BASIC_INFORMATION(ctypes.Structure):
- """https://msdn.microsoft.com/en-us/library/aa366775"""
- _fields_ = (('BaseAddress', PVOID),
- ('AllocationBase', PVOID),
- ('AllocationProtect', DWORD),
- ('RegionSize', SIZE_T),
- ('State', DWORD),
- ('Protect', DWORD),
- ('Type', DWORD))
- ##PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
- mbi = MEMORY_BASIC_INFORMATION()
- ##sysinfo.lpMinimumApplicationAddress
- print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \
- sysinfo.lpMinimumApplicationAddress, ctypes.byref(mbi),ctypes.sizeof(mbi)))
- # sysinfo.lpMinimumApplicationAddress replaced by None
- ##print('')
- ##print('mbi start')
- ##print('mbi.BaseAddress: ',mbi.BaseAddress)
- ##print('mbi.AllocationBase: ',mbi.AllocationBase)
- ##print('mbi.AllocationProtect: ',mbi.AllocationProtect)
- ##print('mbi.RegionSize: ',mbi.RegionSize)
- ##print('mbi.State: ',mbi.State)
- ##print('mbi.Protect: ', mbi.Protect)
- ##print('mbi.Type: ',mbi.Type)
- ReadProcessMemory = Kernel32.ReadProcessMemory
- ##
- MEM_COMMIT = 0x00001000;
- PAGE_READWRITE = 0x04;
- ##buffer = ctypes.c_uint()
- buffer = ctypes.c_double()
- nread = SIZE_T()
- ##start = ctypes.c_void_p(mbi.BaseAddress)
- current_address = sysinfo.lpMinimumApplicationAddress
- end_address = sysinfo.lpMaximumApplicationAddress
- hit_count = 0
- while current_address < end_address:
- Kernel32.VirtualQueryEx(Process, \
- current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
- if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
- print('This region can be scanned!')
- index = current_address
- end = current_address + mbi.RegionSize - 7
- for i in range(index, end, 8):
- if ReadProcessMemory(Process, i, ctypes.byref(buffer), \
- ctypes.sizeof(buffer), ctypes.byref(nread)):
- if buffer.value < (target_value + 1) and \
- buffer.value > (target_value - 1):
- print(buffer, buffer.value, i, 'hit:', hit_count)
- hit_count += 1
- hit_pool.append(i)
- else:
- print('else happend.')
- input('program pause because ReadProcessMemory happened.')
- current_address += mbi.RegionSize
- print(hit_count)
- return hit_pool
- def Second_scan(hit_pool, target_value):
- PVOID = LPVOID
- SIZE_T = ctypes.c_size_t
- # https://msdn.microsoft.com/en-us/library/aa383751#DWORD_PTR
- if ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulonglong):
- DWORD_PTR = ctypes.c_ulonglong
- elif ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulong):
- DWORD_PTR = ctypes.c_ulong
- class SYSTEM_INFO(ctypes.Structure):
- """https://msdn.microsoft.com/en-us/library/ms724958"""
- class _U(ctypes.Union):
- class _S(ctypes.Structure):
- _fields_ = (('wProcessorArchitecture', WORD),
- ('wReserved', WORD))
- _fields_ = (('dwOemId', DWORD), # obsolete
- ('_s', _S))
- _anonymous_ = ('_s',)
- _fields_ = (('_u', _U),
- ('dwPageSize', DWORD),
- ('lpMinimumApplicationAddress', LPVOID),
- ('lpMaximumApplicationAddress', LPVOID),
- ('dwActiveProcessorMask', DWORD_PTR),
- ('dwNumberOfProcessors', DWORD),
- ('dwProcessorType', DWORD),
- ('dwAllocationGranularity', DWORD),
- ('wProcessorLevel', WORD),
- ('wProcessorRevision', WORD))
- _anonymous_ = ('_u',)
- LPSYSTEM_INFO = ctypes.POINTER(SYSTEM_INFO)
- Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
- Kernel32.GetSystemInfo.restype = None
- Kernel32.GetSystemInfo.argtypes = (LPSYSTEM_INFO,)
- sysinfo = SYSTEM_INFO()
- Kernel32.GetSystemInfo(ctypes.byref(sysinfo))
- for proc in psutil.process_iter():
- if str('swtor.exe') in str(proc.name) and \
- proc.memory_info().rss > 1000000000:
- PID = proc.pid
- print('PID:',PID)
- PROCESS_QUERY_INFORMATION = 0x0400
- PROCESS_VM_READ = 0x0010
- Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID)
- print('process:', Process)
- # 3rd
- class MEMORY_BASIC_INFORMATION(ctypes.Structure):
- """https://msdn.microsoft.com/en-us/library/aa366775"""
- _fields_ = (('BaseAddress', PVOID),
- ('AllocationBase', PVOID),
- ('AllocationProtect', DWORD),
- ('RegionSize', SIZE_T),
- ('State', DWORD),
- ('Protect', DWORD),
- ('Type', DWORD))
- mbi = MEMORY_BASIC_INFORMATION()
- print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \
- sysinfo.lpMinimumApplicationAddress, ctypes.byref(mbi),ctypes.sizeof(mbi)))
- ReadProcessMemory = Kernel32.ReadProcessMemory
- MEM_COMMIT = 0x00001000;
- PAGE_READWRITE = 0x04;
- buffer = ctypes.c_double()
- nread = SIZE_T()
- hit_count = 0
- hit_pool_2 = list()
- for i in hit_pool:
- Kernel32.VirtualQueryEx(Process, \
- i, ctypes.byref(mbi),ctypes.sizeof(mbi))
- if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
- print('This region can be scanned!')
- if ReadProcessMemory(Process, i, ctypes.byref(buffer), \
- ctypes.sizeof(buffer), ctypes.byref(nread)):
- if buffer.value < (target_value + 1) and \
- buffer.value > (target_value - 1):
- print(i,'OVERKILL!!!')
- hit_pool_2.append(i)
- else:
- print('else happend.')
- input('program pause because ReadProcessMemory happened.')
- else:
- '2nd run VirtualQueryEx error'
- hit_pool = hit_pool_2
- print('Hit_pool', hit_pool)
- return hit_pool_2
- target_value = int(input('new scan value'))
- hit_pool = list()
- hit_pool = First_scan(hit_pool, target_value)
- print(hit_pool)
- while target_value != -999:
- target_value = int(input('new scan value'))
- hit_pool = Second_scan(hit_pool, target_value)
- print('done.')
- ##print(hit_pool)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement