I use python to call external programs in win7 x64, but I want to hide command line options.
import winpexpect thread = winexpect.winspawn(cmd,timeout=TIMEOUT ) import pexpect thread = pexpect.spawn(cmd,timeout=TIMEOUT ) import subprocess ...
since I am passing the cmd tool with some protected information and I don’t want others to see it in the task manager, is there a way to “obfuscate” / change it? or even better, completely hide the process from the task manager?
I read about it. How to clear the process command line? but don't know how to do this in python. keywords: RTL_USER_PROCESS_PARAMETERS process workspace block
edit: I found a package called winappdbg ,
from winappdbg import Process, HexDump p = Process(pid) >>> p.get_command_line_block() (3552076L, 880) >>> peb=p.get_peb() <winappdbg.win32.peb_teb.PEB object at 0x00000000030A92C8> >>> dir(peb) ['ActivationContextData', 'ActiveProcessAffinityMask', 'AnsiCodePageData', 'ApiSetMap', 'AppCompatFlags', 'AppCompatFlagsUser', 'AppCompatInfo', 'AtlThunkSListPtr', 'AtlThunkSListPtr32', 'BeingDebugged', 'BitField', 'CSDVersion', 'CriticalSectionTimeout', 'CrossProcessFlags', 'FastPebLock', 'FlsBitmap', 'FlsBitmapBits', 'FlsCallback', 'FlsHighIndex', 'FlsListHead', 'GdiDCAttributeList', 'GdiHandleBuffer', 'GdiSharedHandleTable', 'HeapDeCommitFreeBlockThreshold', 'HeapDeCommitTotalFreeThreshold', 'HeapSegmentCommit', 'HeapSegmentReserve', 'HotpatchInformation', 'IFEOKey', 'ImageBaseAddress', 'ImageSubsystem', 'ImageSubsystemMajorVersion', 'ImageSubsystemMinorVersion', 'InheritedAddressSpace', 'KernelCallbackTable', 'Ldr', 'LoaderLock', 'MaximumNumberOfHeaps', 'MinimumStackCommit', 'Mutant', 'NtGlobalFlag', 'NumberOfHeaps', 'NumberOfProcessors', 'OSBuildNumber', 'OSCSDVersion', 'OSMajorVersion', 'OSMinorVersion', 'OSPlatformId', 'OemCodePageData', 'PostProcessInitRoutine', 'ProcessAssemblyStorageMap', 'ProcessHeap', 'ProcessHeaps', 'ProcessParameters', 'ProcessStarterHelper', 'ReadImageFileExecOptions', 'ReadOnlySharedMemoryBase', 'ReadOnlyStaticServerData', 'SessionId', 'SubSystemData', 'SystemAssemblyStorageMap', 'SystemDefaultActivationContextData', 'SystemReserved', 'TlsBitmap', 'TlsBitmapBits', 'TlsExpansionBitmap', 'TlsExpansionBitmapBits', 'TlsExpansionCounter', 'TracingFlags', 'UnicodeCaseTableData', 'WerRegistrationData', 'WerShipAssertPtr', '__class__', '__ctypes_from_outparam__', '__delattr__', '__dict__', '__doc__', '__format__', '__getattribute__', '__hash__', '__init__', '__module__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__setstate__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_b_base_', '_b_needsfree_', '_fields_', '_objects', '_pack_', 'pContextData', 'pImageHeaderHash', 'pShimData'] >>> peb.ProcessParameters 3549056L
winappdbg _RTL_USER_PROCESS_PARAMETERS ctypes struct def and read part of the command line here
what can i do with it? to calculate the address and use p.poke(baseAddr+offsetAddr,newCommandLineString) ?
C ++ link
edit2: this piece of code seems to work
p = Process(pid) cb=p.get_command_line_block() p.write(cb[0],'\x00'.join([x for x in 'doingSomething'])+'\x00\x00')
but can anyone show me how to do this without using the winappdbg package? Do not want to import another huge module. how to write this only with pywin32 and ctypes?
By the way, I feel this is a kind of hack. Do I need to reset all remaining address using \ x00? because
>>> cb[1] 880
The original command line is closed. or do I need to call something so that this mem address block is updated correctly?