winappdbg.win32.ntdll

Source Code for Module winappdbg.win32.ntdll

1 # Copyright (c) 2009-2010, Mario Vilas 2 # All rights reserved. 3 # 4 # Redistribution and use in source and binary forms, with or without 5 # modification, are permitted provided that the following conditions are met: 6 # 7 # * Redistributions of source code must retain the above copyright notice, 8 # this list of conditions and the following disclaimer. 9 # * Redistributions in binary form must reproduce the above copyright 10 # notice,this list of conditions and the following disclaimer in the 11 # documentation and/or other materials provided with the distribution. 12 # * Neither the name of the copyright holder nor the names of its 13 # contributors may be used to endorse or promote products derived from 14 # this software without specific prior written permission. 15 # 16 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 20 # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 # POSSIBILITY OF SUCH DAMAGE. 27 28 """ 29 Wrapper for ntdll.dll in ctypes. 30 """ 31 32 __revision__ = "$Id: ntdll.py 655 2010-03-30 17:00:27Z qvasimodo $" 33 34 from defines import * 35 from peb_teb import * 36 37 #--- Types -------------------------------------------------------------------- 38 39 SYSDBG_COMMAND = DWORD 40 PROCESSINFOCLASS = DWORD 41 THREADINFOCLASS = DWORD 42 FILE_INFORMATION_CLASS = DWORD 43 44 #--- Constants ---------------------------------------------------------------- 45 46 # DEP flags for ProcessExecuteFlags 47 MEM_EXECUTE_OPTION_ENABLE = 1 48 MEM_EXECUTE_OPTION_DISABLE = 2 49 MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION = 4 50 MEM_EXECUTE_OPTION_PERMANENT = 8 51 52 # SYSTEM_INFORMATION_CLASS 53 # http://www.informit.com/articles/article.aspx?p=22442&seqNum=4 54 SystemBasicInformation = 1 # 0x002C 55 SystemProcessorInformation = 2 # 0x000C 56 SystemPerformanceInformation = 3 # 0x0138 57 SystemTimeInformation = 4 # 0x0020 58 SystemPathInformation = 5 # not implemented 59 SystemProcessInformation = 6 # 0x00F8 + per process 60 SystemCallInformation = 7 # 0x0018 + (n * 0x0004) 61 SystemConfigurationInformation = 8 # 0x0018 62 SystemProcessorCounters = 9 # 0x0030 per cpu 63 SystemGlobalFlag = 10 # 0x0004 64 SystemInfo10 = 11 # not implemented 65 SystemModuleInformation = 12 # 0x0004 + (n * 0x011C) 66 SystemLockInformation = 13 # 0x0004 + (n * 0x0024) 67 SystemInfo13 = 14 # not implemented 68 SystemPagedPoolInformation = 15 # checked build only 69 SystemNonPagedPoolInformation = 16 # checked build only 70 SystemHandleInformation = 17 # 0x0004 + (n * 0x0010) 71 SystemObjectInformation = 18 # 0x0038+ + (n * 0x0030+) 72 SystemPagefileInformation = 19 # 0x0018+ per page file 73 SystemInstemulInformation = 20 # 0x0088 74 SystemInfo20 = 21 # invalid info class 75 SystemCacheInformation = 22 # 0x0024 76 SystemPoolTagInformation = 23 # 0x0004 + (n * 0x001C) 77 SystemProcessorStatistics = 24 # 0x0000, or 0x0018 per cpu 78 SystemDpcInformation = 25 # 0x0014 79 SystemMemoryUsageInformation1 = 26 # checked build only 80 SystemLoadImage = 27 # 0x0018, set mode only 81 SystemUnloadImage = 28 # 0x0004, set mode only 82 SystemTimeAdjustmentInformation = 29 # 0x000C, 0x0008 writeable 83 SystemMemoryUsageInformation2 = 30 # checked build only 84 SystemInfo30 = 31 # checked build only 85 SystemInfo31 = 32 # checked build only 86 SystemCrashDumpInformation = 33 # 0x0004 87 SystemExceptionInformation = 34 # 0x0010 88 SystemCrashDumpStateInformation = 35 # 0x0008 89 SystemDebuggerInformation = 36 # 0x0002 90 SystemThreadSwitchInformation = 37 # 0x0030 91 SystemRegistryQuotaInformation = 38 # 0x000C 92 SystemLoadDriver = 39 # 0x0008, set mode only 93 SystemPrioritySeparationInformation = 40 # 0x0004, set mode only 94 SystemInfo40 = 41 # not implemented 95 SystemInfo41 = 42 # not implemented 96 SystemInfo42 = 43 # invalid info class 97 SystemInfo43 = 44 # invalid info class 98 SystemTimeZoneInformation = 45 # 0x00AC 99 SystemLookasideInformation = 46 # n * 0x0020 100 # info classes specific to Windows 2000 101 # WTS = Windows Terminal Server 102 SystemSetTimeSlipEvent = 47 # set mode only 103 SystemCreateSession = 48 # WTS, set mode only 104 SystemDeleteSession = 49 # WTS, set mode only 105 SystemInfo49 = 50 # invalid info class 106 SystemRangeStartInformation = 51 # 0x0004 107 SystemVerifierInformation = 52 # 0x0068 108 SystemAddVerifier = 53 # set mode only 109 SystemSessionProcessesInformation = 54 # WTS 110 111 # NtQueryInformationProcess constants (from MSDN) 112 ##ProcessBasicInformation = 0 113 ##ProcessDebugPort = 7 114 ##ProcessWow64Information = 26 115 ##ProcessImageFileName = 27 116 117 # PROCESS_INFORMATION_CLASS 118 # http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PROCESS_INFORMATION_CLASS.html 119 ProcessBasicInformation = 0 120 ProcessQuotaLimits = 1 121 ProcessIoCounters = 2 122 ProcessVmCounters = 3 123 ProcessTimes = 4 124 ProcessBasePriority = 5 125 ProcessRaisePriority = 6 126 ProcessDebugPort = 7 127 ProcessExceptionPort = 8 128 ProcessAccessToken = 9 129 ProcessLdtInformation = 10 130 ProcessLdtSize = 11 131 ProcessDefaultHardErrorMode = 12 132 ProcessIoPortHandlers = 13 133 ProcessPooledUsageAndLimits = 14 134 ProcessWorkingSetWatch = 15 135 ProcessUserModeIOPL = 16 136 ProcessEnableAlignmentFaultFixup = 17 137 ProcessPriorityClass = 18 138 ProcessWx86Information = 19 139 ProcessHandleCount = 20 140 ProcessAffinityMask = 21 141 ProcessPriorityBoost = 22 142 143 ProcessWow64Information = 26 144 ProcessImageFileName = 27 145 146 # http://www.codeproject.com/KB/security/AntiReverseEngineering.aspx 147 ProcessDebugObjectHandle = 30 148 149 ProcessExecuteFlags = 34 150 151 # THREAD_INFORMATION_CLASS 152 ThreadBasicInformation = 0 153 ThreadTimes = 1 154 ThreadPriority = 2 155 ThreadBasePriority = 3 156 ThreadAffinityMask = 4 157 ThreadImpersonationToken = 5 158 ThreadDescriptorTableEntry = 6 159 ThreadEnableAlignmentFaultFixup = 7 160 ThreadEventPair = 8 161 ThreadQuerySetWin32StartAddress = 9 162 ThreadZeroTlsCell = 10 163 ThreadPerformanceCount = 11 164 ThreadAmILastThread = 12 165 ThreadIdealProcessor = 13 166 ThreadPriorityBoost = 14 167 ThreadSetTlsArrayAddress = 15 168 ThreadIsIoPending = 16 169 ThreadHideFromDebugger = 17 170 171 # OBJECT_INFORMATION_CLASS 172 ObjectBasicInformation = 0 173 ObjectNameInformation = 1 174 ObjectTypeInformation = 2 175 ObjectAllTypesInformation = 3 176 ObjectHandleInformation = 4 177 178 # FILE_INFORMATION_CLASS 179 FileDirectoryInformation = 1 180 FileFullDirectoryInformation = 2 181 FileBothDirectoryInformation = 3 182 FileBasicInformation = 4 183 FileStandardInformation = 5 184 FileInternalInformation = 6 185 FileEaInformation = 7 186 FileAccessInformation = 8 187 FileNameInformation = 9 188 FileRenameInformation = 10 189 FileLinkInformation = 11 190 FileNamesInformation = 12 191 FileDispositionInformation = 13 192 FilePositionInformation = 14 193 FileFullEaInformation = 15 194 FileModeInformation = 16 195 FileAlignmentInformation = 17 196 FileAllInformation = 18 197 FileAllocationInformation = 19 198 FileEndOfFileInformation = 20 199 FileAlternateNameInformation = 21 200 FileStreamInformation = 22 201 FilePipeInformation = 23 202 FilePipeLocalInformation = 24 203 FilePipeRemoteInformation = 25 204 FileMailslotQueryInformation = 26 205 FileMailslotSetInformation = 27 206 FileCompressionInformation = 28 207 FileCopyOnWriteInformation = 29 208 FileCompletionInformation = 30 209 FileMoveClusterInformation = 31 210 FileQuotaInformation = 32 211 FileReparsePointInformation = 33 212 FileNetworkOpenInformation = 34 213 FileObjectIdInformation = 35 214 FileTrackingInformation = 36 215 FileOleDirectoryInformation = 37 216 FileContentIndexInformation = 38 217 FileInheritContentIndexInformation = 37 218 FileOleInformation = 39 219 FileMaximumInformation = 40 220 221 # From http://www.nirsoft.net/kernel_struct/vista/EXCEPTION_DISPOSITION.html 222 # typedef enum _EXCEPTION_DISPOSITION 223 # { 224 # ExceptionContinueExecution = 0, 225 # ExceptionContinueSearch = 1, 226 # ExceptionNestedException = 2, 227 # ExceptionCollidedUnwind = 3 228 # } EXCEPTION_DISPOSITION; 229 ExceptionContinueExecution = 0 230 ExceptionContinueSearch = 1 231 ExceptionNestedException = 2 232 ExceptionCollidedUnwind = 3 233 234 #--- PROCESS_BASIC_INFORMATION structure -------------------------------------- 235 236 # From MSDN: 237 # 238 # typedef struct _PROCESS_BASIC_INFORMATION { 239 # PVOID Reserved1; 240 # PPEB PebBaseAddress; 241 # PVOID Reserved2[2]; 242 # ULONG_PTR UniqueProcessId; 243 # PVOID Reserved3; 244 # } PROCESS_BASIC_INFORMATION; 245 ##class PROCESS_BASIC_INFORMATION(Structure): 246 ## _fields_ = [ 247 ## ("Reserved1", PVOID), 248 ## ("PebBaseAddress", PPEB), 249 ## ("Reserved2", PVOID * 2), 250 ## ("UniqueProcessId", ULONG_PTR), 251 ## ("Reserved3", PVOID), 252 ##] 253 254 # From http://catch22.net/tuts/tips2 255 # (Only valid for 32 bits) 256 # 257 # typedef struct 258 # { 259 # ULONG ExitStatus; 260 # PVOID PebBaseAddress; 261 # ULONG AffinityMask; 262 # ULONG BasePriority; 263 # ULONG_PTR UniqueProcessId; 264 # ULONG_PTR InheritedFromUniqueProcessId; 265 # } PROCESS_BASIC_INFORMATION; 266 267 # My own definition follows:

268 -class PROCESS_BASIC_INFORMATION(Structure):

269 _fields_ = [ 270 ("ExitStatus", NTSTATUS), 271 ("PebBaseAddress", PVOID), # PPEB 272 ("AffinityMask", KAFFINITY), 273 ("BasePriority", SDWORD), 274 ("UniqueProcessId", ULONG_PTR), 275 ("InheritedFromUniqueProcessId", ULONG_PTR), 276 ]

277 278 #--- THREAD_BASIC_INFORMATION structure --------------------------------------- 279 280 # From http://undocumented.ntinternals.net/UserMode/Structures/THREAD_BASIC_INFORMATION.html 281 # 282 # typedef struct _THREAD_BASIC_INFORMATION { 283 # NTSTATUS ExitStatus; 284 # PVOID TebBaseAddress; 285 # CLIENT_ID ClientId; 286 # KAFFINITY AffinityMask; 287 # KPRIORITY Priority; 288 # KPRIORITY BasePriority; 289 # } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;

290 -class THREAD_BASIC_INFORMATION(Structure):

291 _fields_ = [ 292 ("ExitStatus", NTSTATUS), 293 ("TebBaseAddress", PVOID), # PTEB 294 ("ClientId", CLIENT_ID), 295 ("AffinityMask", KAFFINITY), 296 ("Priority", SDWORD), 297 ("BasePriority", SDWORD), 298 ]

299 300 #--- FILE_NAME_INFORMATION structure ------------------------------------------ 301 302 # typedef struct _FILE_NAME_INFORMATION { 303 # ULONG FileNameLength; 304 # WCHAR FileName[1]; 305 # } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;

306 -class FILE_NAME_INFORMATION(Structure):

307 _fields_ = [ 308 ("FileNameLength", ULONG), 309 ("FileName", WCHAR * 1), 310 ]

311 312 #--- SYSDBG_MSR structure and constants --------------------------------------- 313 314 SysDbgReadMsr = 16 315 SysDbgWriteMsr = 17 316

317 -class SYSDBG_MSR(Structure):

318 _fields_ = [ 319 ("Address", ULONG), 320 ("Data", ULONGLONG), 321 ]

322 323 #--- IO_STATUS_BLOCK structure ------------------------------------------------ 324 325 # typedef struct _IO_STATUS_BLOCK { 326 # union { 327 # NTSTATUS Status; 328 # PVOID Pointer; 329 # }; 330 # ULONG_PTR Information; 331 # } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

332 -class IO_STATUS_BLOCK(Structure):

333 _fields_ = [ 334 ("Status", NTSTATUS), 335 ("Information", ULONG_PTR), 336 ]

337 - def __get_Pointer(self):

338 return PVOID(self.Status)

339 - def __set_Pointer(self, ptr):

340 self.Status = ptr.value

341 Pointer = property(__get_Pointer, __set_Pointer)

342 343 PIO_STATUS_BLOCK = POINTER(IO_STATUS_BLOCK) 344 345 #--- ntdll.dll ---------------------------------------------------------------- 346 347 # ULONG WINAPI RtlNtStatusToDosError( 348 # __in NTSTATUS Status 349 # );

350 -def RtlNtStatusToDosError(Status):

351 _RtlNtStatusToDosError = windll.ntdll.RtlNtStatusToDosError 352 _RtlNtStatusToDosError.argtypes = [NTSTATUS] 353 _RtlNtStatusToDosError.restype = ULONG 354 return _RtlNtStatusToDosError(Status)

355 356 # NTSYSAPI NTSTATUS NTAPI NtSystemDebugControl( 357 # IN SYSDBG_COMMAND Command, 358 # IN PVOID InputBuffer OPTIONAL, 359 # IN ULONG InputBufferLength, 360 # OUT PVOID OutputBuffer OPTIONAL, 361 # IN ULONG OutputBufferLength, 362 # OUT PULONG ReturnLength OPTIONAL 363 # );

364 -def NtSystemDebugControl(Command, InputBuffer = None, InputBufferLength = None, OutputBuffer = None, OutputBufferLength = None):

365 _NtSystemDebugControl = windll.ntdll.NtSystemDebugControl 366 _NtSystemDebugControl.argtypes = [SYSDBG_COMMAND, PVOID, ULONG, PVOID, ULONG, PULONG] 367 _NtSystemDebugControl.restype = NTSTATUS 368 369 # Validate the input buffer 370 if InputBuffer is None: 371 if InputBufferLength is None: 372 InputBufferLength = 0 373 else: 374 raise ValueError, "Invalid call to NtSystemDebugControl:" \ 375 "input buffer length given but no input buffer!" 376 else: 377 if InputBufferLength is None: 378 InputBufferLength = sizeof(InputBuffer) 379 InputBuffer = ctypes.byref(InputBuffer) 380 381 # Validate the output buffer 382 if OutputBuffer is None: 383 if OutputBufferLength is None: 384 OutputBufferLength = 0 385 else: 386 OutputBuffer = ctypes.create_string_buffer("", OutputBufferLength) 387 elif OutputBufferLength is None: 388 OutputBufferLength = sizeof(OutputBuffer) 389 390 # Make the call (with an output buffer) 391 if OutputBuffer is not None: 392 ReturnLength = ULONG(0) 393 ntstatus = _NtSystemDebugControl(Command, InputBuffer, InputBufferLength, ctypes.byref(OutputBuffer), OutputBufferLength, ctypes.byref(ReturnLength)) 394 if ntstatus != 0: 395 raise ctypes.WinError( RtlNtStatusToDosError(ntstatus) ) 396 ReturnLength = ReturnLength.value 397 if ReturnLength != OutputBufferLength: 398 raise ctypes.WinError(ERROR_BAD_LENGTH) 399 return OutputBuffer, ReturnLength 400 401 # Make the call (without an output buffer) 402 ntstatus = _NtSystemDebugControl(Command, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength, None) 403 if ntstatus != 0: 404 raise ctypes.WinError( RtlNtStatusToDosError(ntstatus) )

405 406 ZwSystemDebugControl = NtSystemDebugControl 407 408 # NTSTATUS WINAPI NtQueryInformationProcess( 409 # __in HANDLE ProcessHandle, 410 # __in PROCESSINFOCLASS ProcessInformationClass, 411 # __out PVOID ProcessInformation, 412 # __in ULONG ProcessInformationLength, 413 # __out_opt PULONG ReturnLength 414 # );

415 -def NtQueryInformationProcess(ProcessHandle, ProcessInformationClass, ProcessInformationLength = None):

416 _NtQueryInformationProcess = windll.ntdll.NtQueryInformationProcess 417 _NtQueryInformationProcess.argtypes = [HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG] 418 _NtQueryInformationProcess.restype = NTSTATUS 419 if ProcessInformationLength is not None: 420 ProcessInformation = ctypes.create_string_buffer("", ProcessInformationLength) 421 else: 422 if ProcessInformationClass == ProcessBasicInformation: 423 ProcessInformation = PROCESS_BASIC_INFORMATION() 424 ProcessInformationLength = sizeof(PROCESS_BASIC_INFORMATION) 425 elif ProcessInformationClass == ProcessImageFileName: 426 unicode_buffer = ctypes.create_unicode_buffer(u"", 0x1000) 427 ProcessInformation = UNICODE_STRING(0, 0x1000, ctypes.addressof(unicode_buffer)) 428 ProcessInformationLength = sizeof(UNICODE_STRING) 429 elif ProcessInformationClass in (ProcessDebugPort, ProcessWow64Information, ProcessWx86Information, ProcessHandleCount, ProcessPriorityBoost): 430 ProcessInformation = DWORD() 431 ProcessInformationLength = sizeof(DWORD) 432 else: 433 raise Exception, "Unknown ProcessInformationClass, use an explicit ProcessInformationLength value instead" 434 ReturnLength = ULONG(0) 435 ntstatus = _NtQueryInformationProcess(ProcessHandle, ProcessInformationClass, ctypes.byref(ProcessInformation), ProcessInformationLength, ctypes.byref(ReturnLength)) 436 if ntstatus != 0: 437 raise ctypes.WinError( RtlNtStatusToDosError(ntstatus) ) 438 if ProcessInformationClass == ProcessBasicInformation: 439 retval = ProcessInformation 440 elif ProcessInformationClass in (ProcessDebugPort, ProcessWow64Information, ProcessWx86Information, ProcessHandleCount, ProcessPriorityBoost): 441 retval = ProcessInformation.value 442 elif ProcessInformationClass == ProcessImageFileName: 443 vptr = ctypes.c_void_p(ProcessInformation.Buffer) 444 cptr = ctypes.cast( vptr, ctypes.c_wchar * ProcessInformation.Length ) 445 retval = cptr.contents.raw 446 else: 447 retval = ProcessInformation.raw[:ReturnLength.value] 448 return retval

449 450 ZwQueryInformationProcess = NtQueryInformationProcess 451 452 # NTSTATUS WINAPI NtQueryInformationThread( 453 # __in HANDLE ThreadHandle, 454 # __in THREADINFOCLASS ThreadInformationClass, 455 # __out PVOID ThreadInformation, 456 # __in ULONG ThreadInformationLength, 457 # __out_opt PULONG ReturnLength 458 # );

459 -def NtQueryInformationThread(ThreadHandle, ThreadInformationClass, ThreadInformationLength = None):

460 _NtQueryInformationThread = windll.ntdll.NtQueryInformationThread 461 _NtQueryInformationThread.argtypes = [HANDLE, THREADINFOCLASS, PVOID, ULONG, PULONG] 462 _NtQueryInformationThread.restype = NTSTATUS 463 if ThreadInformationLength is not None: 464 ThreadInformation = ctypes.create_string_buffer("", ThreadInformationLength) 465 else: 466 if ThreadInformationClass == ThreadBasicInformation: 467 ThreadInformation = THREAD_BASIC_INFORMATION() 468 ThreadInformationLength = sizeof(THREAD_BASIC_INFORMATION) 469 elif ThreadInformationClass in (ThreadQuerySetWin32StartAddress, ThreadAmILastThread, ThreadPriorityBoost, ThreadHideFromDebugger): 470 ThreadInformation = DWORD() 471 ThreadInformationLength = sizeof(DWORD) 472 elif ThreadInformationClass == ThreadPerformanceCount: 473 ThreadInformation = LONGLONG() # LARGE_INTEGER 474 ThreadInformationLength = sizeof(LONGLONG) 475 else: 476 raise Exception, "Unknown ThreadInformationClass, use an explicit ThreadInformationLength value instead" 477 ReturnLength = ULONG(0) 478 ntstatus = _NtQueryInformationThread(ThreadHandle, ThreadInformationClass, ctypes.byref(ThreadInformation), ThreadInformationLength, ctypes.byref(ReturnLength)) 479 if ntstatus != 0: 480 raise ctypes.WinError( RtlNtStatusToDosError(ntstatus) ) 481 if ThreadInformationClass == ThreadBasicInformation: 482 retval = ThreadInformation 483 elif ThreadInformationClass in (ThreadQuerySetWin32StartAddress, ThreadAmILastThread, ThreadPriorityBoost, ThreadHideFromDebugger): 484 retval = ThreadInformation.value 485 elif ThreadInformationClass == ThreadPerformanceCount: 486 retval = ThreadInformation.value 487 else: 488 retval = ThreadInformation.raw[:ReturnLength.value] 489 return retval

490 491 ZwQueryInformationThread = NtQueryInformationThread 492 493 # NTSTATUS 494 # NtQueryInformationFile( 495 # IN HANDLE FileHandle, 496 # OUT PIO_STATUS_BLOCK IoStatusBlock, 497 # OUT PVOID FileInformation, 498 # IN ULONG Length, 499 # IN FILE_INFORMATION_CLASS FileInformationClass 500 # );

501 -def NtQueryInformationFile(FileHandle, FileInformationClass, FileInformation, Length):

502 _NtQueryInformationFile = windll.ntdll.NtQueryInformationFile 503 _NtQueryInformationFile.argtypes = [HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, DWORD] 504 _NtQueryInformationFile.restype = NTSTATUS 505 IoStatusBlock = IO_STATUS_BLOCK() 506 ntstatus = _NtQueryInformationFile(FileHandle, ctypes.byref(IoStatusBlock), ctypes.byref(FileInformation), Length, FileInformationClass) 507 if ntstatus != 0: 508 raise ctypes.WinError( RtlNtStatusToDosError(ntstatus) ) 509 return IoStatusBlock

510 511 ZwQueryInformationFile = NtQueryInformationFile 512 513 # DWORD STDCALL CsrGetProcessId (VOID);

514 -def CsrGetProcessId():

515 _CsrGetProcessId = windll.ntdll.CsrGetProcessId 516 _CsrGetProcessId.argtypes = [] 517 _CsrGetProcessId.restype = DWORD 518 return _CsrGetProcessId()

519