Skip to content

Instantly share code, notes, and snippets.

@iljavs
Last active November 30, 2022 10:03
Show Gist options
  • Save iljavs/a577475e0eb2d3ddbbbf3802b9a8ebf5 to your computer and use it in GitHub Desktop.
Save iljavs/a577475e0eb2d3ddbbbf3802b9a8ebf5 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
import os
import sys
import time
import win32api
import win32con
import win32security
import wmi # pip install wmi
import psutil
import multiprocessing
dlls = [
"advapi32.dll",
"crypt32.dll",
"cryptbase.dll",
"cryptsp.dll",
"gdi32.dll",
"kernel32.dll",
"msasn1.dll",
"msvcp_win.dll",
"msvcrt.dll",
"ntdll.dll",
"sechost.dll",
"shell32.dll",
"shlwapi.dll",
"umb.dll",
"regapi.dll",
"propsys.dll",
"dxcore.dll",
"d3d11.dll",
"lsmon.dll",
"rmclient.dll",
"user32.dll",
"win32u.dll",
"winmm.dll",
"dxgi.dll",
"d3d10.dll",
"winsta.dll",
"dwmapi.dll",
"authz.dll",
"bcrypt.dll",
"ntmarta.dll",
"iphlpapi.dll",
"wldp.dll",
"gdi32full.dll",
"nsi.dll",
"gdiplus.dll",
"websocket.dll",
"lsmproxy.dll",
"kernel.appcore.dll",
"umpdc.dll",
"ntasn1.dll",
"ncrypt.dll",
"devobj.dll",
"dpapi.dll",
"userenv.dll",
"sspicli.dll",
"bcryptprimitives.dll",
"cfgmgr32.dll",
"ucrtbase.dll",
"kernelbase.dll",
"oleaut32.dll",
"clbcatq.dll",
"shcore.dll",
"ws2_32.dll",
"combase.dll",
"setupapi.dll",
]
def pathforpid(pid):
try:
for proc in psutil.process_iter():
if proc.pid == pid:
return proc.exe()
except Exception:
pass
""" get the file description string from the dll's resource section """
def get_dll_description(filename):
try:
info = win32api.GetFileVersionInfo(filename,
"\\VarFileInfo\\Translation")
lang, codepage = info[0]
info = win32api.GetFileVersionInfo(filename,
"\\StringFileInfo\\%04X%04X\\FileDescription" % (lang, codepage))
return info
except Exception as e:
return ""
""" print dlls loaded by a process """
def print_dlls(pid):
for dll in psutil.Process(pid).memory_maps():
try:
bname = os.path.basename(dll.path)
if bname.lower().endswith(".dll") and bname.lower() not in dlls:
v = get_dll_description(dll.path)
print("\t{} - {} ".format(dll.path, v))
except Exception as e:
pass
def parse_dateTime(dt):
hour = dt[8:10]
minute = dt[10:12]
second = dt[12:14]
return "{}:{}:{}".format(hour, minute, second)
def monitor():
c = wmi.WMI()
process_watcher = c.Win32_Process.watch_for("creation")
print("program\t\t\t\tdomain\\user\t\tpid - ppid \t\t\tcmdline")
while True:
try:
# this blocks. hence multiprocess below so
# we can ctrl+c without delay
new_process = process_watcher()
proc_owner = new_process.GetOwner()
domain = proc_owner[0]
user = proc_owner[2]
create_date = new_process.CreationDate
executable = new_process.ExecutablePath
cmdline = new_process.CommandLine
pid = new_process.ProcessId
ppid = new_process.ParentProcessId
ppidname = pathforpid(ppid)
print("[{}] \"{}\" -- {}\\{} -- {} - {}[{}] -- {:100.100}".format(
parse_dateTime(create_date),
executable,
domain,
user,
pid,
ppid,
ppidname,
cmdline))
if executable.lower().endswith("svchost.exe"):
print_dlls(pid)
except Exception:
pass
if __name__ == "__main__":
# use python multiprocessing to run the monitor in a separate process
p = multiprocessing.Process(target=monitor)
p.start()
# handle ctrl-c
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
print("killing process {}...".format(p.pid))
p.terminate()
p.join()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment