acquire.acquire.dynamic.windows.handles

Module Contents

Classes

DuplicateFilter

Filter instances are used to perform arbitrary filtering of LogRecords.

Functions

get_handle_type_info	Return type of handle.
open_process	Obtain a handle for the given PID.
get_handle_name	Return handle name.
get_handles	Returns all handles of a target.
duplicate_handle	Create duplicate handle.
serialize_handles_into_csv	Serialize handle data into a csv.

Attributes

log
OpenProcessToken
kernel32
OpenProcess
DuplicateHandle
GetLastError
SetLastError
GetCurrentProcessId

acquire.acquire.dynamic.windows.handles.log

acquire.acquire.dynamic.windows.handles.OpenProcessToken

acquire.acquire.dynamic.windows.handles.kernel32

acquire.acquire.dynamic.windows.handles.OpenProcess

acquire.acquire.dynamic.windows.handles.DuplicateHandle

acquire.acquire.dynamic.windows.handles.GetLastError

acquire.acquire.dynamic.windows.handles.SetLastError

acquire.acquire.dynamic.windows.handles.GetCurrentProcessId

class acquire.acquire.dynamic.windows.handles.DuplicateFilter

Bases: logging.Filter

Filter instances are used to perform arbitrary filtering of LogRecords.

Loggers and Handlers can optionally use Filter instances to filter records as desired. The base filter class only allows events which are below a certain point in the logger hierarchy. For example, a filter initialized with “A.B” will allow events logged by loggers “A.B”, “A.B.C”, “A.B.C.D”, “A.B.D” etc. but not “A.BB”, “B.A.B” etc. If initialized with the empty string, all events are passed.

msgs

filter(record: logging.LogRecord) → bool

Determine if the specified record is to be logged.

Returns True if the record should be logged, or False otherwise. If deemed appropriate, the record may be modified in-place.

acquire.acquire.dynamic.windows.handles.get_handle_type_info(handle: acquire.dynamic.windows.types.SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX) → str | None

Return type of handle.

Parameters:

handle – handle for which to return the type information.

Raises:

• RuntimeError – Raised when the result of the object query is unknown (other than SUCCESS, LENGTH MISMATCH or

• INVALID). –

acquire.acquire.dynamic.windows.handles.open_process(pid: int) → int

Obtain a handle for the given PID.

More info: https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess

Parameters:

pid – integer that represents the process ID.

Raises:

• OpenProcessError – Raies when the System Idle Process, the System Process or one of the CSRSS processes are tried

• to be opened. –

acquire.acquire.dynamic.windows.handles.get_handle_name(pid: int, handle: acquire.dynamic.windows.types.SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX) → str | None

Return handle name.

acquire.acquire.dynamic.windows.handles.get_handles() → collections.abc.Iterator[acquire.dynamic.windows.types.Handle]

Returns all handles of a target.

acquire.acquire.dynamic.windows.handles.duplicate_handle(h_process: int, handle: acquire.dynamic.windows.types.SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX) → acquire.dynamic.windows.types.HANDLE

Create duplicate handle.

When the source handle is in use by another program, one needs to create a duplicate handle in order to have full control of that handle. This prevents performing operations on the source handle that might have been closed by the other program.

acquire.acquire.dynamic.windows.handles.serialize_handles_into_csv(rows: collections.abc.Iterator[acquire.dynamic.windows.types.Handle], compress: bool = True) → bytes

Serialize handle data into a csv.

Serialize provided rows into normal or gzip-compressed CSV, and return a tuple containing the result bytes.