Kernel32

OpenProcess()

Opens an existing local process object.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320%28v=vs.85%29.aspx

Parameters:
  • dwDesiredAccess (DWORD) – The access to the process object. This access right is checked against the security descriptor for the process. This parameter can be one or more of the process access rights.
  • bInheritHandle (BOOL) – If this value is TRUE, processes created by this process will inherit the handle. Otherwise, the processes do not inherit this handle.
  • dwProcessId (DWORD) – The identifier of the local process to be opened.
Return type:

ctypes.c_ulong
TerminateProcess()

Terminates the specified process and all of its threads.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms686714%28v=vs.85%29.aspx

Parameters:
  • hProcess (HANDLE) – A handle to the process to be terminated.
  • uExitCode (UINT) – The exit code to be used by the process and threads terminated as a result of this call.
Return type:

ctypes.c_ulong
CloseHandle()

Closes an open object handle.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms724211%28v=vs.85%29.aspx

Parameters:hObject (HANDLE) – A valid handle to an open object.
Return type:ctypes.c_long
GetLastError()

Retrieves the calling thread’s last-error code value. The last-error code is maintained on a per-thread basis. Multiple threads do not overwrite each other’s last-error code.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360%28v=vs.85%29.aspx

Return type:ctypes.c_ulong
GetCurrentProcess()

Retrieves a pseudo handle for the current process.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms683179%28v=vs.85%29.aspx

Return type:ctypes.c_ulong
ReadProcessMemory()

Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters:
  • hProcess – A handle to the process with memory that is being read. The handle must have PROCESS_VM_READ access to the process.
  • lpBaseAddress – A pointer to the base address in the specified process from which to read.
  • lpBuffer – A pointer to a buffer that receives the contents from the address space of the specified process.
  • nSize – The number of bytes to be read from the specified process.
  • lpNumberOfBytesRead – A pointer to a variable that receives the number of bytes transferred into the specified buffer.
Return type:

ctypes.c_long
WriteProcessMemory()

Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320%28v=vs.85%29.aspx

Parameters:
  • dwDesiredAccess (DWORD) – A handle to the process with memory that is being read. The handle must have PROCESS_VM_READ access to the process.
  • bInheritHandle (BOOL) – A pointer to the base address in the specified process from which to read.
  • dwProcessId (DWORD) – A pointer to a buffer that receives the contents from the address space of the specified process.
Return type:

ctypes.c_long
DebugActiveProcess()

Enables a debugger to attach to an active process and debug it.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms679295%28v=vs.85%29.aspx

Parameters:dwProcessId (DWORD) – The identifier for the process to be debugged. The debugger is granted debugging access to the process as if it created the process with the DEBUG_ONLY_THIS_PROCESS flag. For more information, see the Remarks section of this topic.
Return type:ctypes.c_long
VirtualAllocEx()

Reserves or commits a region of memory within the virtual address space of a specified process. The function initializes the memory it allocates to zero, unless MEM_RESET is used.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890%28v=vs.85%29.aspx

Parameters:
  • hProcess (HANDLE) – The handle to a process. The function allocates memory within the virtual address space of this process.
  • lpAddress (LPVOID) – The pointer that specifies a desired starting address for the region of pages that you want to allocate.
  • dwSize (SIZE_T) – The size of the region of memory to allocate, in bytes.
  • flAllocationType (DWORD) – The type of memory allocation.
  • flProtect (DWORD) – The identifier for the process to be debugged. The debugger is granted debugging access to the process as if it created the process with the DEBUG_ONLY_THIS_PROCESS flag.
Return type:

ctypes.c_ulong
VirtualProtectEx()

Changes the protection on a region of committed pages in the virtual address space of a specified process.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366899%28v=vs.85%29.aspx

Parameters:
  • hProcess – A handle to the process whose memory protection is to be changed. The handle must have the PROCESS_VM_OPERATION access right.
  • lpAddress (LPVOID) – A pointer to the base address of the region of pages whose access protection attributes are to be changed.
  • dwSize (SIZE_T) – The size of the region whose access protection attributes are changed, in bytes.
  • flNewProtect (DWORD) – The memory protection option. This parameter can be one of the memory protection constants.
  • lpflOldProtect (PDWORD) – The handle to a process. The function allocates memory within the virtual address space of this process.
Return type:

ctypes.c_long
CreateToolhelp32Snapshot()

Takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms682489%28v=vs.85%29.aspx

Parameters:
  • dwFlags (DWORD) – The portions of the system to be included in the snapshot.
  • th32ProcessID (DWORD) – The process identifier of the process to be included in the snapshot. This parameter can be zero to indicate the current process. This parameter is used when the TH32CS_SNAPHEAPLIST, TH32CS_SNAPMODULE, TH32CS_SNAPMODULE32, or TH32CS_SNAPALL value is specified. Otherwise, it is ignored and all processes are included in the snapshot.
Return type:

ctypes.c_ulong
Module32First()

Retrieves information about the first module associated with a process.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684218%28v=vs.85%29.aspx

Parameters:
  • hSnapshot (HANDLE) – A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
  • lpme (LPMODULEENTRY32) – A pointer to a MODULEENTRY32 structure.
Return type:

ctypes.c_long
Module32Next()

Retrieves information about the next module associated with a process or thread.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684221%28v=vs.85%29.aspx

Parameters:
  • hSnapshot (HANDLE) – A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
  • lpme (LPMODULEENTRY32) – A pointer to a MODULEENTRY32 structure.
Return type:

ctypes.c_long
Process32First()

Retrieves information about the first process encountered in a system snapshot.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684834%28v=vs.85%29.aspx

Parameters:
  • hSnapshot (HANDLE) – A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
  • lppe (LPPROCESSENTRY32) – A pointer to a PROCESSENTRY32 structure. It contains process information such as the name of the executable file, the process identifier, and the process identifier of the parent process.
Return type:

ctypes.c_long
Process32Next()

Retrieves information about the next process recorded in a system snapshot.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684836%28v=vs.85%29.aspx

Parameters:
  • hSnapshot (HANDLE) – A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
  • lppe (LPPROCESSENTRY32) – A pointer to a PROCESSENTRY32 structure.
Return type:

ctypes.c_long
Thread32First()

Retrieves information about the first thread of any process encountered in a system snapshot.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms686728%28v=vs.85%29.aspx

Parameters:
  • hSnapshot (HANDLE) – A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
  • lpte (LPTHREADENTRY32) – A pointer to a THREADENTRY32 structure.
Return type:

ctypes.c_long
Thread32Next()

Retrieves information about the next thread of any process encountered in the system memory snapshot.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms686731%28v=vs.85%29.aspx

Parameters:
  • hSnapshot (HANDLE) – A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
  • lpte (LPTHREADENTRY32) – A pointer to a THREADENTRY32 structure.
Return type:

ctypes.c_long
OpenThread()

Opens an existing thread object.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684335%28v=vs.85%29.aspx

Parameters:
  • dwDesiredAccess (DWORD) – The access to the thread object. This access right is checked against the security descriptor for the thread. This parameter can be one or more of the thread access rights.
  • bInheritHandle (BOOL) – If this value is TRUE, processes created by this process will inherit the handle. Otherwise, the processes do not inherit this handle.
  • dwThreadId (DWORD) – The identifier of the thread to be opened.
Return type:

ctypes.c_ulong
SuspendThread()

Suspends the specified thread.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms686345%28v=vs.85%29.aspx

Parameters:hThread (HANDLE) – A handle to the thread that is to be suspended.
Return type:ctypes.c_ulong
ResumeThread()

Decrements a thread’s suspend count. When the suspend count is decremented to zero, the execution of the thread is resumed.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms685086%28v=vs.85%29.aspx

Parameters:hThread (HANDLE) – A handle to the thread that is to be suspended.
Return type:ctypes.c_ulong
GetThreadContext()

Retrieves the context of the specified thread.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms679362%28v=vs.85%29.aspx

Parameters:
  • hThread (HANDLE) – A handle to the thread whose context is to be retrieved. The handle must have THREAD_GET_CONTEXT access to the thread.
  • lpContext (LPCONTEXT) – A pointer to a CONTEXT structure that receives the appropriate context of the specified thread.
Return type:

ctypes.c_long
SetThreadContext()

Sets the context for the specified thread.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680632%28v=vs.85%29.aspx

Parameters:
  • hThread (HANDLE) – A handle to the thread whose context is to be set. The handle must have the THREAD_SET_CONTEXT access right to the thread.
  • lpContext (CONTEXT) – A pointer to a CONTEXT structure that contains the context to be set in the specified thread.
Return type:

ctypes.c_long
VirtualFreeEx()

Releases, decommits, or releases and decommits a region of memory within the virtual address space of a specified process.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366894%28v=vs.85%29.aspx

Parameters:
  • hProcess (HANDLE) – A handle to a process. The function frees memory within the virtual address space of the process.
  • lpAddress (LPVOID) – A pointer to the starting address of the region of memory to be freed.
  • dwSize (SIZE_T) – The size of the region of memory to free, in bytes.
  • dwFreeType (DWORD) – The type of free operation.
Return type:

ctypes.c_long