1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
from ctypes import * from ctypes.wintypes import * import time import os, sys import win32security import tempfile import win32api, win32con from ntsecuritycon import TokenSessionId, TokenSandBoxInert, TokenType, TokenImpersonationLevel, TokenVirtualizationEnabled, TokenVirtualizationAllowed, TokenHasRestrictions, TokenElevationType, TokenUIAccess, TokenUser, TokenOwner, TokenGroups, TokenRestrictedSids, TokenPrivileges, TokenPrimaryGroup, TokenSource, TokenDefaultDacl, TokenStatistics, TokenOrigin, TokenLinkedToken, TokenLogonSid, TokenElevation, TokenIntegrityLevel, TokenMandatoryPolicy, SE_ASSIGNPRIMARYTOKEN_NAME, SE_BACKUP_NAME, SE_CREATE_PAGEFILE_NAME, SE_CREATE_TOKEN_NAME, SE_DEBUG_NAME, SE_LOAD_DRIVER_NAME, SE_MACHINE_ACCOUNT_NAME, SE_RESTORE_NAME, SE_SHUTDOWN_NAME, SE_TAKE_OWNERSHIP_NAME, SE_TCB_NAME OpenProcess = windll.kernel32.OpenProcess ReadProcessMemory = windll.kernel32.ReadProcessMemory CloseHandle = windll.kernel32.CloseHandle def get_extra_privs(): # Try to give ourselves some extra privs (only works if we're admin): # SeBackupPrivilege - so we can read anything # SeDebugPrivilege - so we can find out about other processes (otherwise OpenProcess will fail for some) # SeSecurityPrivilege - ??? what does this do? # Problem: Vista+ support "Protected" processes, e.g. audiodg.exe. We can't see info about these. # Interesting post on why Protected Process aren't really secure anyway: http://www.alex-ionescu.com/?p=34 th = win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY) privs = win32security.GetTokenInformation(th, TokenPrivileges) newprivs = [] for privtuple in privs: if privtuple[0] == win32security.LookupPrivilegeValue(None, "SeBackupPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeDebugPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeSecurityPrivilege"): print("Added privilege " + str(privtuple[0])) # privtuple[1] = 2 # tuples are immutable. WHY?! newprivs.append((privtuple[0], 2)) # SE_PRIVILEGE_ENABLED else: newprivs.append((privtuple[0], privtuple[1])) # Adjust privs privs = tuple(newprivs) str(win32security.AdjustTokenPrivileges(th, False , privs)) PROCESS_ALL_ACCESS = 0x1F0FFF pid = 1012 # I assume you have this from somewhere. #address = 0x1000000 # Likewise; for illustration I'll get the .exe header. address = 0x4100000 buffer = create_string_buffer(0x10000) bufferSize = len(buffer)#len(buffer.value) bytesRead = c_ulong(0) get_extra_privs() processHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid) if processHandle: print("Buffersize: ", bufferSize) time.sleep(3) while address <= (address+0x1000000): if ReadProcessMemory(processHandle, address, buffer, bufferSize, byref(bytesRead)): for ii in range(0, bufferSize): if (buffer[ii] != 0x1): #print("Success:", address, buffer) print("Success:", hex(address)) #print("b'" + ''.join('\\x{:02x}'.format(x) for x in buffer) + "'") print (":".join("{:02x}".format(ord(c)) for c in buffer)) continue else: print("Failed@", hex(address)) address += 0x1000 CloseHandle(processHandle) else: print("Unable to open process: ", processHandle) |