-
Notifications
You must be signed in to change notification settings - Fork 5
/
root_mem.py
83 lines (72 loc) · 2.48 KB
/
root_mem.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import logging
from ctypes import (
POINTER,
Structure,
addressof,
c_char,
c_void_p,
pointer,
sizeof,
windll,
)
from ctypes.wintypes import BYTE, DWORD, HMODULE
logger = logging.getLogger(__name__)
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_OPERATION = 0x0008
PROCESS_VM_READ = 0x0010
PROCESS_VM_WRITE = 0x0020
TH32CS_SNAPMODULE = 0x00000008
CreateToolhelp32Snapshot = windll.kernel32.CreateToolhelp32Snapshot
Process32First = windll.kernel32.Process32First
Process32Next = windll.kernel32.Process32Next
Module32First = windll.kernel32.Module32First
Module32Next = windll.kernel32.Module32Next
GetLastError = windll.kernel32.GetLastError
OpenProcess = windll.kernel32.OpenProcess
GetPriorityClass = windll.kernel32.GetPriorityClass
CloseHandle = windll.kernel32.CloseHandle
class MODULEENTRY32(Structure):
_fields_ = [
("dwSize", DWORD),
("th32ModuleID", DWORD),
("th32ProcessID", DWORD),
("GlblcntUsage", DWORD),
("ProccntUsage", DWORD),
("modBaseAddr", POINTER(BYTE)),
("modBaseSize", DWORD),
("hModule", HMODULE),
("szModule", c_char * 256),
("szExePath", c_char * 260),
]
def list_process_modules(ProcessID):
hModuleSnap = c_void_p(0)
me32 = MODULEENTRY32()
me32.dwSize = sizeof(MODULEENTRY32)
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessID)
ret = Module32First(hModuleSnap, pointer(me32))
if ret == 0:
logger.error("ListProcessModules() Error on Module32First[%d]", GetLastError())
CloseHandle(hModuleSnap)
return False
complete = False
while not complete:
logger.debug(f"MODULE NAME: {me32.szModule}")
logger.debug(f"executable: {me32.szExePath}")
logger.debug(f"process ID: {me32.th32ProcessID}")
logger.debug(f"ref count (g): {me32.GlblcntUsage}")
logger.debug(f"ref count (p): {me32.ProccntUsage}")
logger.debug(f"base address: {me32.modBaseAddr}")
try:
logger.debug(
f"Adjusted address = {hex(addressof(me32.modBaseAddr.contents))}"
)
ret_val = addressof(me32.modBaseAddr.contents)
except Exception as x:
logger.debug(f"adjusted 3 error: {x}")
logger.debug(f"base size: {me32.modBaseSize}")
if me32.szModule == b"FFX.exe":
complete = True
else:
ret = Module32Next(hModuleSnap, pointer(me32))
CloseHandle(hModuleSnap)
return ret_val