Structure¶
Placeholder for windows structures and constants.
-
class
ModuleEntry32
(ctypes.Structure)¶ Describes an entry from a list of the modules belonging to the specified process.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684225%28v=vs.85%29.aspx
_fields_ = [ ( 'dwSize' , ctypes.c_ulong ) , ( 'th32ModuleID' , ctypes.c_ulong ), ( 'th32ProcessID' , ctypes.c_ulong ), ( 'GlblcntUsage' , ctypes.c_ulong ), ( 'ProccntUsage' , ctypes.c_ulong ) , ( 'modBaseAddr' , ctypes.POINTER(ctypes.c_byte)), ( 'modBaseSize' , ctypes.c_ulong ) , ( 'hModule' , ctypes.c_ulong ) , ( 'szModule' , ctypes.c_char * 256 ), ( 'szExePath' , ctypes.c_char * 260 ) ]
-
class
ProcessEntry32
(ctypes.Structure)¶ Describes an entry from a list of the processes residing in the system address space when a snapshot was taken.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684839(v=vs.85).aspx
_fields_ = [ ( 'dwSize' , ctypes.c_ulong ) , ( 'cntUsage' , ctypes.c_ulong) , ( 'th32ProcessID' , ctypes.c_ulong) , ( 'th32DefaultHeapID' , ctypes.POINTER(ctypes.c_ulong) ) , ( 'th32ModuleID' , ctypes.c_ulong) , ( 'cntThreads' , ctypes.c_ulong) , ( 'th32ParentProcessID' , ctypes.c_ulong) , ( 'pcPriClassBase' , ctypes.c_long) , ( 'dwFlags' , ctypes.c_ulong) , ( 'szExeFile' , ctypes.c_char * 260 ) ]
-
szExeFile
¶ Returns: The szExeFile as a decoded utf-8 string Return type: string
-
-
class
ThreadEntry32
(ctypes.Structure)¶ Describes an entry from a list of the threads executing in the system when a snapshot was taken.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms686735(v=vs.85).aspx
_fields_ = [ ('dwSize', ctypes.c_ulong), ("cntUsage", ctypes.c_ulong), ("th32ThreadID", ctypes.c_ulong), ("th32OwnerProcessID", ctypes.c_ulong), ("tpBasePri", ctypes.c_ulong), ("tpDeltaPri", ctypes.c_ulong), ("dwFlags", ctypes.c_ulong) ]
-
PROCESS(object):
Process manipulation flags
-
PROCESS_CREATE_PROCESS = 0x0080
Required to create a process.
-
PROCESS_CREATE_THREAD = 0x0002
Required to create a thread.
-
PROCESS_DUP_HANDLE = 0x0040
Required to duplicate a handle using DuplicateHandle.
-
PROCESS_QUERY_INFORMATION = 0x0400
Required to retrieve certain information about a process, such as its token, exit code, and priority class (see OpenProcessToken).
-
PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
Required to retrieve certain information about a process (see GetExitCodeProcess, GetPriorityClass, IsProcessInJob, QueryFullProcessImageName).
-
PROCESS_SET_INFORMATION = 0x0200
Required to set certain information about a process, such as its priority class (see SetPriorityClass).
-
PROCESS_SET_QUOTA = 0x0100
Required to set memory limits using SetProcessWorkingSetSize.
-
PROCESS_SUSPEND_RESUME = 0x0800
Required to suspend or resume a process.
-
PROCESS_TERMINATE = 0x0001
Required to terminate a process using TerminateProcess.
-
PROCESS_VM_OPERATION = 0x0008
Required to perform an operation on the address space of a process (see VirtualProtectEx and WriteProcessMemory).
-
PROCESS_VM_READ = 0x0010
Required to read memory in a process using ReadProcessMemory.
-
PROCESS_VM_WRITE = 0x0020
Required to write to memory in a process using WriteProcessMemory.
-
SYNCHRONIZE = 0x00100000
Required to wait for the process to terminate using the wait functions.
-
PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF)
All possible access rights for a process object.
-
DELETE = 0x00010000
Required to delete the object.
-
READ_CONTROL = 0x00020000
Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right.
-
WRITE_DAC = 0x00040000
Required to modify the DACL in the security descriptor for the object.
-
WRITE_OWNER = 0x00080000
Required to change the owner in the security descriptor for the object.
-
-
class
MemoryAllocation
(object)¶ The type of memory allocation https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890%28v=vs.85%29.aspx
-
MEM_COMMIT = 0x00001000
Allocates memory charges (from the overall size of memory and the paging files on disk) for the specified reserved memory pages. The function also guarantees that when the caller later initially accesses the memory, the contents will be zero. Actual physical pages are not allocated unless/until the virtual addresses are actually accessed.
-
MEM_RESERVE = 0x00002000
Reserves a range of the process’s virtual address space without allocating any actual physical storage in memory or in the paging file on disk.
-
MEM_RESET = 0x00080000
Indicates that data in the memory range specified by lpAddress and dwSize is no longer of interest. The pages should not be read from or written to the paging file. However, the memory block will be used again later, so it should not be decommitted. This value cannot be used with any other value.
-
MEM_RESET_UNDO = 0x1000000
MEM_RESET_UNDO should only be called on an address range to which MEM_RESET was successfully applied earlier. It indicates that the data in the specified memory range specified by lpAddress and dwSize is of interest to the caller and attempts to reverse the effects of MEM_RESET. If the function succeeds, that means all data in the specified address range is intact. If the function fails, at least some of the data in the address range has been replaced with zeroes.
-
MEM_LARGE_PAGES = 0x20000000
Allocates memory using large page support.
-
MEM_PHYSICAL = 0x00400000
Reserves an address range that can be used to map Address Windowing Extensions (AWE) pages.
-
MEM_TOP_DOWN = 0x00100000
Allocates memory at the highest possible address. This can be slower than regular allocations, especially when there are many allocations.
-
MEM_DECOMMIT = 0x4000
Decommits the specified region of committed pages. After the operation, the pages are in the reserved state.
-
MEM_RELEASE = 0x8000
Releases the specified region of pages. After this operation, the pages are in the free state.
-
-
class
MemoryProtection
(object)¶ The following are the memory-protection options; you must specify one of the following values when allocating or protecting a page in memory
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx
-
PAGE_EXECUTE = 0x10
Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation.
-
PAGE_EXECUTE_READ = 0x20
Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation.
-
PAGE_EXECUTE_READWRITE = 0x40
Enables execute, read-only, or read/write access to the committed region of pages.
-
PAGE_EXECUTE_WRITECOPY = 0x80
Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_EXECUTE_READWRITE, and the change is written to the new page.
-
PAGE_NOACCESS = 0x01
Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation.
-
PAGE_READONLY = 0x02
Enables read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. If Data Execution Prevention is enabled, an attempt to execute code in the committed region results in an access violation.
-
PAGE_READWRITE = 0x04
Enables read-only or read/write access to the committed region of pages. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.
-
PAGE_WRITECOPY = 0x08
Enables read-only or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_READWRITE, and the change is written to the new page. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.
-
PAGE_GUARD = 0x100
Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception and turn off the guard page status. Guard pages thus act as a one-time access alarm. For more information, see Creating Guard Pages.
-
PAGE_NOCACHE = 0x200
Sets all pages to be non-cachable. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
-
PAGE_WRITECOMBINE = 0x400
Sets all pages to be write-combined. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped as write-combined can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
-
-
SIZE_OF_80387_REGISTERS = 80
-
class
FLOATING_SAVE_AREA
(ctypes.Structure)¶ Undocumented ctypes.Structure used for ThreadContext.
_fields_ = [ ('ControlWord', ctypes.c_uint), ('StatusWord', ctypes.c_uint), ('TagWord', ctypes.c_uint), ('ErrorOffset', ctypes.c_uint), ('ErrorSelector', ctypes.c_uint), ('DataOffset', ctypes.c_uint), ('DataSelector', ctypes.c_uint), ('RegisterArea', ctypes.c_byte * SIZE_OF_80387_REGISTERS), ('Cr0NpxState', ctypes.c_uint) ]
-
MAXIMUM_SUPPORTED_EXTENSION = 512
-
class
ThreadContext
(ctypes.Structure)¶ Represents a thread context
_fields_ = [ ('ContextFlags', ctypes.c_uint), ('Dr0', ctypes.c_uint), ('Dr1', ctypes.c_uint), ('Dr2', ctypes.c_uint), ('Dr3', ctypes.c_uint), ('Dr6', ctypes.c_uint), ('Dr7', ctypes.c_uint), ('FloatSave', FLOATING_SAVE_AREA), ('SegGs', ctypes.c_uint), ('SegFs', ctypes.c_uint), ('SegEs', ctypes.c_uint), ('SegDs', ctypes.c_uint), ('Edi', ctypes.c_uint), ('Esi', ctypes.c_uint), ('Ebx', ctypes.c_uint), ('Edx', ctypes.c_uint), ('Ecx', ctypes.c_uint), ('Eax', ctypes.c_uint), ('Ebp', ctypes.c_uint), ('Eip', ctypes.c_uint), ('SegCs', ctypes.c_uint), ('EFlags', ctypes.c_uint), ('Esp', ctypes.c_uint), ('SegSs', ctypes.c_uint), ('ExtendedRegisters', ctypes.c_byte * MAXIMUM_SUPPORTED_EXTENSION) ]