from ctypes import *
from ctypes.wintypes import *
import time
import os, sys
import win32security
import tempfile
import win32api, win32con
from ntsecuritycon import TokenSessionId, TokenSandBoxInert, TokenType, TokenImpersonationLevel, TokenVirtualizationEnabled, TokenVirtualizationAllowed, TokenHasRestrictions, TokenElevationType, TokenUIAccess, TokenUser, TokenOwner, TokenGroups, TokenRestrictedSids, TokenPrivileges, TokenPrimaryGroup, TokenSource, TokenDefaultDacl, TokenStatistics, TokenOrigin, TokenLinkedToken, TokenLogonSid, TokenElevation, TokenIntegrityLevel, TokenMandatoryPolicy, SE_ASSIGNPRIMARYTOKEN_NAME, SE_BACKUP_NAME, SE_CREATE_PAGEFILE_NAME, SE_CREATE_TOKEN_NAME, SE_DEBUG_NAME, SE_LOAD_DRIVER_NAME, SE_MACHINE_ACCOUNT_NAME, SE_RESTORE_NAME, SE_SHUTDOWN_NAME, SE_TAKE_OWNERSHIP_NAME, SE_TCB_NAME


OpenProcess = windll.kernel32.OpenProcess
ReadProcessMemory = windll.kernel32.ReadProcessMemory
CloseHandle = windll.kernel32.CloseHandle



def get_extra_privs():
    # Try to give ourselves some extra privs (only works if we're admin):
    # SeBackupPrivilege   - so we can read anything
    # SeDebugPrivilege    - so we can find out about other processes (otherwise OpenProcess will fail for some)
    # SeSecurityPrivilege - ??? what does this do?

    # Problem: Vista+ support "Protected" processes, e.g. audiodg.exe.  We can't see info about these.
    # Interesting post on why Protected Process aren't really secure anyway: http://www.alex-ionescu.com/?p=34

    th = win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY)
    privs = win32security.GetTokenInformation(th, TokenPrivileges)
    newprivs = []
    for privtuple in privs:
        if privtuple[0] == win32security.LookupPrivilegeValue(None, "SeBackupPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeDebugPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeSecurityPrivilege"):
            print("Added privilege " + str(privtuple[0]))
            # privtuple[1] = 2 # tuples are immutable.  WHY?!
            newprivs.append((privtuple[0], 2)) # SE_PRIVILEGE_ENABLED
        else:
            newprivs.append((privtuple[0], privtuple[1]))

    # Adjust privs
    privs = tuple(newprivs)
    str(win32security.AdjustTokenPrivileges(th, False , privs)) 


PROCESS_ALL_ACCESS = 0x1F0FFF

pid = 1012   # I assume you have this from somewhere.
#address = 0x1000000  # Likewise; for illustration I'll get the .exe header.
address = 0x4100000

buffer = create_string_buffer(0x10000)
bufferSize = len(buffer)#len(buffer.value)
bytesRead = c_ulong(0)

get_extra_privs()

processHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
if processHandle:
    print("Buffersize: ", bufferSize)
    time.sleep(3)

    while address <= (address+0x1000000):
        if ReadProcessMemory(processHandle, address, buffer, bufferSize, byref(bytesRead)):
            for ii in range(0, bufferSize):
                if (buffer[ii] != 0x1):
                    #print("Success:", address, buffer)
                    print("Success:", hex(address))
                    #print("b'" + ''.join('\\x{:02x}'.format(x) for x in buffer) + "'")
                    print (":".join("{:02x}".format(ord(c)) for c in buffer))
                    continue
        else:
            print("Failed@", hex(address))
        address += 0x1000
    CloseHandle(processHandle)
else:
    print("Unable to open process: ", processHandle)

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax