# Copyright (C) 2010-2012 Cuckoo Sandbox Developers. # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org # See the file 'docs/LICENSE' for copying permission. from ctypes import * KERNEL32 = windll.kernel32 ADVAPI32 = windll.advapi32 BYTE = c_ubyte WORD = c_ushort DWORD = c_ulong LONG = c_ulong LPBYTE = POINTER(c_ubyte) LPTSTR = POINTER(c_char) HANDLE = c_void_p PVOID = c_void_p LPVOID = c_void_p UINT_PTR = c_ulong SIZE_T = c_ulong HMODULE = c_ulong NULL = c_int(0) DEBUG_PROCESS = 0x00000001 CREATE_NEW_CONSOLE = 0x00000010 CREATE_SUSPENDED = 0x00000004 DBG_CONTINUE = 0x00010002 INFINITE = 0xFFFFFFFF PROCESS_ALL_ACCESS = 0x001F0FFF TOKEN_ALL_ACCESS = 0x000F01FF SE_PRIVILEGE_ENABLED = 0x00000002 STILL_ACTIVE = 0x00000103 PAGE_EXECUTE_READWRITE = 0x00000040 PAGE_EXECUTE = 0x00000010 PAGE_EXECUTE_READ = 0x00000020 PAGE_READONLY = 0x00000002 PAGE_READWRITE = 0x00000004 MEM_COMMIT = 0x00001000 MEM_RESERVE = 0x00002000 MEM_DECOMMIT = 0x00004000 MEM_RELEASE = 0x00008000 MEM_RESET = 0x00080000 PAGE_NOACCESS = 0x00000001 PAGE_READONLY = 0x00000002 PAGE_READWRITE = 0x00000004 PAGE_WRITECOPY = 0x00000008 PAGE_EXECUTE = 0x00000010 PAGE_EXECUTE_READ = 0x00000020 PAGE_EXECUTE_READWRITE = 0x00000040 PAGE_EXECUTE_WRITECOPY = 0x00000080 PAGE_GUARD = 0x00000100 PAGE_NOCACHE = 0x00000200 PAGE_WRITECOMBINE = 0x00000400 PIPE_ACCESS_DUPLEX = 0x00000003 PIPE_TYPE_MESSAGE = 0x00000004 PIPE_READMODE_MESSAGE = 0x00000002 PIPE_WAIT = 0x00000000 PIPE_UNLIMITED_INSTANCES = 0x000000ff INVALID_HANDLE_VALUE = 0xffffffff ERROR_BROKEN_PIPE = 0x0000006d ERROR_MORE_DATA = 0x000000EA FILE_ATTRIBUTE_HIDDEN = 0x00000002 class STARTUPINFO(Structure): _fields_ = [ ("cb", DWORD), ("lpReserved", LPTSTR), ("lpDesktop", LPTSTR), ("lpTitle", LPTSTR), ("dwX", DWORD), ("dwY", DWORD), ("dwXSize", DWORD), ("dwYSize", DWORD), ("dwXCountChars", DWORD), ("dwYCountChars", DWORD), ("dwFillAttribute",DWORD), ("dwFlags", DWORD), ("wShowWindow", WORD), ("cbReserved2", WORD), ("lpReserved2", LPBYTE), ("hStdInput", HANDLE), ("hStdOutput", HANDLE), ("hStdError", HANDLE), ] class PROCESS_INFORMATION(Structure): _fields_ = [ ("hProcess", HANDLE), ("hThread", HANDLE), ("dwProcessId", DWORD), ("dwThreadId", DWORD), ] class LUID(Structure): _fields_ = [ ('LowPart', DWORD), ('HighPart', LONG), ] class LUID_AND_ATTRIBUTES(Structure): _fields_ = [ ('Luid', LUID), ('Attributes', DWORD), ] class TOKEN_PRIVILEGES(Structure): _fields_ = [ ('PrivilegeCount', DWORD), ('Privileges', LUID_AND_ATTRIBUTES), ] class MEMORY_BASIC_INFORMATION(Structure): _fields_ = [ ("BaseAddress", PVOID), ("AllocationBase", PVOID), ("AllocationProtect", DWORD), ("RegionSize", SIZE_T), ("State", DWORD), ("Protect", DWORD), ("Type", DWORD), ] class PROC_STRUCT(Structure): _fields_ = [ ("wProcessorArchitecture", WORD), ("wReserved", WORD), ] class SYSTEM_INFO_UNION(Union): _fields_ = [ ("dwOemId", DWORD), ("sProcStruc", PROC_STRUCT), ] class SYSTEM_INFO(Structure): _fields_ = [ ("uSysInfo", SYSTEM_INFO_UNION), ("dwPageSize", DWORD), ("lpMinimumApplicationAddress", LPVOID), ("lpMaximumApplicationAddress", LPVOID), ("dwActiveProcessorMask", DWORD), ("dwNumberOfProcessors", DWORD), ("dwProcessorType", DWORD), ("dwAllocationGranularity", DWORD), ("wProcessorLevel", WORD), ("wProcessorRevision", WORD), ] class MEMORY_BASIC_INFORMATION(Structure): _fields_ = [ ("BaseAddress", PVOID), ("AllocationBase", PVOID), ("AllocationProtect", DWORD), ("RegionSize", SIZE_T), ("State", DWORD), ("Protect", DWORD), ("Type", DWORD), ] .