我有以下Python代码使用Windows API来执行进程的小型转储,可以正常转储到文件但我需要一种方法将转储保存在内存缓冲区中然后对它进行REGEX搜索。无法推出除转储到文件之外的其他方式。有什么想法吗?
import win32security, win32con, win32api, win32file, ctypes
import re
from constants.structures import MINIDUMP_TYPES_CLASS
dbghelp = ctypes.windll.dbghelp
def adjustPrivilege(priv):
flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY
htoken = win32security.OpenProcessToken(win32api.GetCurrentProcess(), flags)
id = win32security.LookupPrivilegeValue(None, priv)
newPrivileges = [(id, win32security.SE_PRIVILEGE_ENABLED)]
win32security.AdjustTokenPrivileges(htoken, 0, newPrivileges)
def createMiniDump(pid, file_name):
# Adjust privileges.
#adjustPrivilege(win32security.SE_DEBUG_NAME)
adjustPrivilege("seDebugPrivilege")
pHandle = win32api.OpenProcess(
win32con.PROCESS_VM_READ | win32con.PROCESS_QUERY_INFORMATION,
0, pid)
print 'pHandle Status: ', win32api.FormatMessage(win32api.GetLastError())
fHandle = win32file.CreateFile(file_name,
win32file.GENERIC_READ | win32file.GENERIC_WRITE,
win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE,
None,
win32file.CREATE_ALWAYS,
win32file.FILE_ATTRIBUTE_NORMAL,
None)
print 'fHandle Status: ', win32api.FormatMessage(win32api.GetLastError())
success = dbghelp.MiniDumpWriteDump(pHandle.handle, # Process handle
pid, # Process ID
fHandle.handle, # File handle
MINIDUMP_TYPES_CLASS.MiniDumpWithFullMemory, # Dump type - MiniDumpNormal
None, # Exception parameter
None, # User stream parameter
None, # Callback parameter
)
#res_rx1 = ["REGEX_STRING"]
#found_rx1 = []
#for regex in res_rx1:
# found_rx1 += re.findall(regex, buffer, re.DOTALL|re.UNICODE)
# found_rx1 = list(set(found_rx1))
#if len(found_rx1)>0:
# for line in found_rx1:
# print line
print 'MiniDump Status: ', win32api.FormatMessage(win32api.GetLastError())
return success
createMiniDump(1280, "1280.dmp")
答案 0 :(得分:2)
from ctypes import sizeof
from ctypes import byref
import re
from ctypes import c_ulong, create_string_buffer
from constants.defines import READ_PROCESS_MEMORY
from constants.defines import VIRTUALQUERYEX
from constants.structures import SYSTEM_INFO
from constants.structures import MEMORY_BASIC_INFORMATION
import win32security, win32con, win32api, pywintypes
import sys
import os
rules = None
def AdjustPrivilege( priv ):
flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY
htoken = win32security.OpenProcessToken(win32api.GetCurrentProcess(), flags)
id = win32security.LookupPrivilegeValue(None, priv)
newPrivileges = [(id, win32security.SE_PRIVILEGE_ENABLED)]
win32security.AdjustTokenPrivileges(htoken, 0, newPrivileges)
def ReadProcessMemory(ProcessID, rules):
base = 0
memory_basic_information = MEMORY_BASIC_INFORMATION()
AdjustPrivilege("seDebugPrivilege")
#pHandle = win32api.OpenProcess(win32con.PROCESS_QUERY_INFORMATION | win32con.PROCESS_VM_READ | win32con.PROCESS_VM_OPERATION , 0, ProcessID)
pHandle = win32api.OpenProcess(win32con.PROCESS_VM_READ | win32con.PROCESS_QUERY_INFORMATION, 0, ProcessID)
while VIRTUALQUERYEX(pHandle.handle, base, byref(memory_basic_information), sizeof(memory_basic_information)) > 0:
count = c_ulong(0)
#MEM_COMMIT && MEM_PRIVATE
#if memory_basic_information.State == 0x1000 and memory_basic_information.Type == 0x20000:
try:
buff = create_string_buffer(memory_basic_information.RegionSize)
if READ_PROCESS_MEMORY(pHandle.handle, base, buff, memory_basic_information.RegionSize, byref(count)):
#print buff.raw
res_rx1 = ["REGEX_STRING"]
found_rx1 = []
for regex in res_rx1:
found_rx1 += re.findall(regex, buff.raw, re.DOTALL|re.UNICODE)
found_rx1 = list(set(found_rx1))
if len(found_rx1)>0:
for line in found_rx1:
print line
#matches = rules.match(data=buff.raw)
#for m in matches:
# print m, "0x%x" % memory_basic_information.BaseAddress
except:
pass
base += memory_basic_information.RegionSize
win32api.CloseHandle(pHandle)
#base += system_info.dwPageSize
ReadProcessMemory(1280, rules)