from ctypes import *
from ctypes.wintypes import *
import time
import os, sys
import win32security
import tempfile
import win32api, win32con
from ntsecuritycon import TokenSessionId, TokenSandBoxInert, TokenType, TokenImpersonationLevel, TokenVirtualizationEnabled, TokenVirtualizationAllowed, TokenHasRestrictions, TokenElevationType, TokenUIAccess, TokenUser, TokenOwner, TokenGroups, TokenRestrictedSids, TokenPrivileges, TokenPrimaryGroup, TokenSource, TokenDefaultDacl, TokenStatistics, TokenOrigin, TokenLinkedToken, TokenLogonSid, TokenElevation, TokenIntegrityLevel, TokenMandatoryPolicy, SE_ASSIGNPRIMARYTOKEN_NAME, SE_BACKUP_NAME, SE_CREATE_PAGEFILE_NAME, SE_CREATE_TOKEN_NAME, SE_DEBUG_NAME, SE_LOAD_DRIVER_NAME, SE_MACHINE_ACCOUNT_NAME, SE_RESTORE_NAME, SE_SHUTDOWN_NAME, SE_TAKE_OWNERSHIP_NAME, SE_TCB_NAME

OpenProcess = windll.kernel32.OpenProcess
ReadProcessMemory = windll.kernel32.ReadProcessMemory
CloseHandle = windll.kernel32.CloseHandle

def get_extra_privs():
    # Try to give ourselves some extra privs (only works if we're admin):
    # SeBackupPrivilege   - so we can read anything
    # SeDebugPrivilege    - so we can find out about other processes (otherwise OpenProcess will fail for some)
    # SeSecurityPrivilege - ??? what does this do?

    # Problem: Vista+ support "Protected" processes, e.g. audiodg.exe.  We can't see info about these.
    # Interesting post on why Protected Process aren't really secure anyway:

    th = win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY)
    privs = win32security.GetTokenInformation(th, TokenPrivileges)
    newprivs = []
    for privtuple in privs:
        if privtuple[0] == win32security.LookupPrivilegeValue(None, "SeBackupPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeDebugPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeSecurityPrivilege"):
            print("Added privilege " + str(privtuple[0]))
            # privtuple[1] = 2 # tuples are immutable.  WHY?!
            newprivs.append((privtuple[0], 2)) # SE_PRIVILEGE_ENABLED
            newprivs.append((privtuple[0], privtuple[1]))

    # Adjust privs
    privs = tuple(newprivs)
    str(win32security.AdjustTokenPrivileges(th, False , privs)) 


pid = 1012   # I assume you have this from somewhere.
#address = 0x1000000  # Likewise; for illustration I'll get the .exe header.
address = 0x4100000

buffer = create_string_buffer(0x10000)
bufferSize = len(buffer)#len(buffer.value)
bytesRead = c_ulong(0)


processHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
if processHandle:
    print("Buffersize: ", bufferSize)

    while address <= (address+0x1000000):
        if ReadProcessMemory(processHandle, address, buffer, bufferSize, byref(bytesRead)):
            for ii in range(0, bufferSize):
                if (buffer[ii] != 0x1):
                    #print("Success:", address, buffer)
                    print("Success:", hex(address))
                    #print("b'" + ''.join('\\x{:02x}'.format(x) for x in buffer) + "'")
                    print (":".join("{:02x}".format(ord(c)) for c in buffer))
            print("Failed@", hex(address))
        address += 0x1000
    print("Unable to open process: ", processHandle)

Leave a Reply

Your email address will not be published. Required fields are marked *