我使用Windows API进行以下python代码来执行一个过程的微型,可正常倾销到文件,但我需要一种将转储保持在存储器缓冲区中然后进行的方法对此的正则搜索。除了倾倒到文件之外,无法以其他方式提出。有什么想法吗?
import win32security, win32con, win32api, win32file, ctypes
import re
from constants.structures import MINIDUMP_TYPES_CLASS
dbghelp = ctypes.windll.dbghelp
def adjustPrivilege(priv):
flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY
htoken = win32security.OpenProcessToken(win32api.GetCurrentProcess(), flags)
id = win32security.LookupPrivilegeValue(None, priv)
newPrivileges = [(id, win32security.SE_PRIVILEGE_ENABLED)]
win32security.AdjustTokenPrivileges(htoken, 0, newPrivileges)
def createMiniDump(pid, file_name):
# Adjust privileges.
#adjustPrivilege(win32security.SE_DEBUG_NAME)
adjustPrivilege("seDebugPrivilege")
pHandle = win32api.OpenProcess(
win32con.PROCESS_VM_READ | win32con.PROCESS_QUERY_INFORMATION,
0, pid)
print 'pHandle Status: ', win32api.FormatMessage(win32api.GetLastError())
fHandle = win32file.CreateFile(file_name,
win32file.GENERIC_READ | win32file.GENERIC_WRITE,
win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE,
None,
win32file.CREATE_ALWAYS,
win32file.FILE_ATTRIBUTE_NORMAL,
None)
print 'fHandle Status: ', win32api.FormatMessage(win32api.GetLastError())
success = dbghelp.MiniDumpWriteDump(pHandle.handle, # Process handle
pid, # Process ID
fHandle.handle, # File handle
MINIDUMP_TYPES_CLASS.MiniDumpWithFullMemory, # Dump type - MiniDumpNormal
None, # Exception parameter
None, # User stream parameter
None, # Callback parameter
)
#res_rx1 = ["REGEX_STRING"]
#found_rx1 = []
#for regex in res_rx1:
# found_rx1 += re.findall(regex, buffer, re.DOTALL|re.UNICODE)
# found_rx1 = list(set(found_rx1))
#if len(found_rx1)>0:
# for line in found_rx1:
# print line
print 'MiniDump Status: ', win32api.FormatMessage(win32api.GetLastError())
return success
createMiniDump(1280, "1280.dmp")
找到了一种方法!对于有兴趣的人:
from ctypes import sizeof
from ctypes import byref
import re
from ctypes import c_ulong, create_string_buffer
from constants.defines import READ_PROCESS_MEMORY
from constants.defines import VIRTUALQUERYEX
from constants.structures import SYSTEM_INFO
from constants.structures import MEMORY_BASIC_INFORMATION
import win32security, win32con, win32api, pywintypes
import sys
import os
rules = None
def AdjustPrivilege( priv ):
flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY
htoken = win32security.OpenProcessToken(win32api.GetCurrentProcess(), flags)
id = win32security.LookupPrivilegeValue(None, priv)
newPrivileges = [(id, win32security.SE_PRIVILEGE_ENABLED)]
win32security.AdjustTokenPrivileges(htoken, 0, newPrivileges)
def ReadProcessMemory(ProcessID, rules):
base = 0
memory_basic_information = MEMORY_BASIC_INFORMATION()
AdjustPrivilege("seDebugPrivilege")
#pHandle = win32api.OpenProcess(win32con.PROCESS_QUERY_INFORMATION | win32con.PROCESS_VM_READ | win32con.PROCESS_VM_OPERATION , 0, ProcessID)
pHandle = win32api.OpenProcess(win32con.PROCESS_VM_READ | win32con.PROCESS_QUERY_INFORMATION, 0, ProcessID)
while VIRTUALQUERYEX(pHandle.handle, base, byref(memory_basic_information), sizeof(memory_basic_information)) > 0:
count = c_ulong(0)
#MEM_COMMIT && MEM_PRIVATE
#if memory_basic_information.State == 0x1000 and memory_basic_information.Type == 0x20000:
try:
buff = create_string_buffer(memory_basic_information.RegionSize)
if READ_PROCESS_MEMORY(pHandle.handle, base, buff, memory_basic_information.RegionSize, byref(count)):
#print buff.raw
res_rx1 = ["REGEX_STRING"]
found_rx1 = []
for regex in res_rx1:
found_rx1 += re.findall(regex, buff.raw, re.DOTALL|re.UNICODE)
found_rx1 = list(set(found_rx1))
if len(found_rx1)>0:
for line in found_rx1:
print line
#matches = rules.match(data=buff.raw)
#for m in matches:
# print m, "0x%x" % memory_basic_information.BaseAddress
except:
pass
base += memory_basic_information.RegionSize
win32api.CloseHandle(pHandle)
#base += system_info.dwPageSize
ReadProcessMemory(1280, rules)