From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/config/lib/memorpy/WinStructures.py    | 190 +++++++++++++++++++++
 1 file changed, 190 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/config/lib/memorpy/WinStructures.py

(limited to 'foreign/client_handling/lazagne/config/lib/memorpy/WinStructures.py')

diff --git a/foreign/client_handling/lazagne/config/lib/memorpy/WinStructures.py b/foreign/client_handling/lazagne/config/lib/memorpy/WinStructures.py
new file mode 100644
index 0000000..ac49d36
--- /dev/null
+++ b/foreign/client_handling/lazagne/config/lib/memorpy/WinStructures.py
@@ -0,0 +1,190 @@
+# Author: Nicolas VERDIER
+# This file is part of memorpy.
+#
+# memorpy is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# memorpy is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with memorpy.  If not, see <http://www.gnu.org/licenses/>.
+
+from ctypes import Structure, c_long, c_int, c_uint, c_char, c_void_p, c_ubyte, c_ushort, c_ulong, c_ulonglong, windll, POINTER, sizeof, c_bool, c_size_t, c_longlong
+from ctypes.wintypes import *
+
+if sizeof(c_void_p) == 8:
+    ULONG_PTR = c_ulonglong
+else:
+    ULONG_PTR = c_ulong
+
+
+class SECURITY_DESCRIPTOR(Structure): 
+    _fields_ = [
+        ('SID', DWORD),
+        ('group', DWORD),
+        ('dacl', DWORD),
+        ('sacl', DWORD),
+        ('test', DWORD)
+    ]
+PSECURITY_DESCRIPTOR = POINTER(SECURITY_DESCRIPTOR)
+
+class MEMORY_BASIC_INFORMATION(Structure):
+    _fields_ = [('BaseAddress', c_void_p),
+     ('AllocationBase', c_void_p),
+     ('AllocationProtect', DWORD),
+     ('RegionSize', c_size_t),
+     ('State', DWORD),
+     ('Protect', DWORD),
+     ('Type', DWORD)]
+
+# https://msdn.microsoft.com/fr-fr/library/windows/desktop/aa366775(v=vs.85).aspx
+class MEMORY_BASIC_INFORMATION64(Structure):
+    _fields_ = [('BaseAddress', c_ulonglong),
+     ('AllocationBase', c_ulonglong),
+     ('AllocationProtect', DWORD),
+     ('alignement1', DWORD),
+     ('RegionSize', c_ulonglong),
+     ('State', DWORD),
+     ('Protect', DWORD),
+     ('Type', DWORD),
+     ('alignement2', DWORD)]
+
+
+
+class SYSTEM_INFO(Structure):
+    _fields_ = [('wProcessorArchitecture', WORD),
+     ('wReserved', WORD),
+     ('dwPageSize', DWORD),
+     ('lpMinimumApplicationAddress', LPVOID),
+     ('lpMaximumApplicationAddress', LPVOID),
+     ('dwActiveProcessorMask', ULONG_PTR),
+     ('dwNumberOfProcessors', DWORD),
+     ('dwProcessorType', DWORD),
+     ('dwAllocationGranularity', DWORD),
+     ('wProcessorLevel', WORD),
+     ('wProcessorRevision', WORD)]
+
+
+class PROCESSENTRY32(Structure):
+    _fields_ = [('dwSize', c_uint),
+     ('cntUsage', c_uint),
+     ('th32ProcessID', c_uint),
+     ('th32DefaultHeapID', c_uint),
+     ('th32ModuleID', c_uint),
+     ('cntThreads', c_uint),
+     ('th32ParentProcessID', c_uint),
+     ('pcPriClassBase', c_long),
+     ('dwFlags', DWORD),
+     #('dwFlags', ULONG_PTR),
+     ('szExeFile', c_char * 260),
+     ('th32MemoryBase', c_long),
+     ('th32AccessKey', c_long)]
+
+
+class MODULEENTRY32(Structure):
+    _fields_ = [('dwSize', c_uint),
+     ('th32ModuleID', c_uint),
+     ('th32ProcessID', c_uint),
+     ('GlblcntUsage', c_uint),
+     ('ProccntUsage', c_uint),
+     ('modBaseAddr', c_uint),
+     ('modBaseSize', c_uint),
+     ('hModule', c_uint),
+     ('szModule', c_char * 256),
+     ('szExePath', c_char * 260)]
+
+
+class THREADENTRY32(Structure):
+    _fields_ = [('dwSize', c_uint),
+     ('cntUsage', c_uint),
+     ('th32ThreadID', c_uint),
+     ('th32OwnerProcessID', c_uint),
+     ('tpBasePri', c_uint),
+     ('tpDeltaPri', c_uint),
+     ('dwFlags', c_uint)]
+
+
+class TH32CS_CLASS(object):
+    INHERIT = 2147483648
+    SNAPHEAPLIST = 1
+    SNAPMODULE = 8
+    SNAPMODULE32 = 16
+    SNAPPROCESS = 2
+    SNAPTHREAD = 4
+    ALL = 2032639
+
+
+Module32First = windll.kernel32.Module32First
+Module32First.argtypes = [c_void_p, POINTER(MODULEENTRY32)]
+Module32First.rettype = c_int
+Module32Next = windll.kernel32.Module32Next
+Module32Next.argtypes = [c_void_p, POINTER(MODULEENTRY32)]
+Module32Next.rettype = c_int
+
+Process32First = windll.kernel32.Process32First
+Process32First.argtypes = [c_void_p, POINTER(PROCESSENTRY32)]
+Process32First.rettype = c_int
+Process32Next = windll.kernel32.Process32Next
+Process32Next.argtypes = [c_void_p, POINTER(PROCESSENTRY32)]
+Process32Next.rettype = c_int
+
+CreateToolhelp32Snapshot = windll.kernel32.CreateToolhelp32Snapshot
+CreateToolhelp32Snapshot.reltype = c_long
+CreateToolhelp32Snapshot.argtypes = [c_int, c_int]
+
+CloseHandle = windll.kernel32.CloseHandle
+CloseHandle.argtypes = [c_void_p]
+CloseHandle.rettype = c_int
+
+OpenProcess = windll.kernel32.OpenProcess
+OpenProcess.argtypes = [c_void_p, c_int, c_long]
+OpenProcess.rettype = c_long
+OpenProcessToken = windll.advapi32.OpenProcessToken
+OpenProcessToken.argtypes = (HANDLE, DWORD, POINTER(HANDLE))
+OpenProcessToken.restype = BOOL
+
+ReadProcessMemory = windll.kernel32.ReadProcessMemory
+ReadProcessMemory.argtypes = [HANDLE, LPCVOID, LPVOID, c_size_t, POINTER(c_size_t)]
+ReadProcessMemory = windll.kernel32.ReadProcessMemory
+
+WriteProcessMemory = windll.kernel32.WriteProcessMemory
+WriteProcessMemory.argtypes = [HANDLE, LPVOID, LPCVOID, c_size_t, POINTER(c_size_t)]
+WriteProcessMemory.restype = BOOL
+
+if sizeof(c_void_p) == 8:
+    NtWow64ReadVirtualMemory64=None
+else:
+    try:
+        NtWow64ReadVirtualMemory64 = windll.ntdll.NtWow64ReadVirtualMemory64
+        NtWow64ReadVirtualMemory64.argtypes = [HANDLE, c_longlong, LPVOID, c_ulonglong, POINTER(c_ulong)] # NTSTATUS (__stdcall *NtWow64ReadVirtualMemory64)(HANDLE ProcessHandle, PVOID64 BaseAddress, PVOID Buffer, ULONGLONG BufferSize, PULONGLONG NumberOfBytesRead);
+        NtWow64ReadVirtualMemory64.restype = BOOL
+    except:
+        NtWow64ReadVirtualMemory64=None
+
+VirtualQueryEx = windll.kernel32.VirtualQueryEx
+VirtualQueryEx.argtypes = [HANDLE, LPCVOID, POINTER(MEMORY_BASIC_INFORMATION), c_size_t]
+VirtualQueryEx.restype = c_size_t
+
+#VirtualQueryEx64 = windll.kernel32.VirtualQueryEx
+#VirtualQueryEx64.argtypes = [HANDLE, LPCVOID, POINTER(MEMORY_BASIC_INFORMATION64), c_size_t]
+#VirtualQueryEx64.restype = c_size_t
+
+PAGE_EXECUTE_READWRITE = 64
+PAGE_EXECUTE_READ = 32
+PAGE_READONLY = 2
+PAGE_READWRITE = 4
+PAGE_NOCACHE = 512
+PAGE_WRITECOMBINE = 1024
+PAGE_GUARD = 256
+
+MEM_COMMIT = 4096
+MEM_FREE = 65536
+MEM_RESERVE = 8192
+
+UNPROTECTED_DACL_SECURITY_INFORMATION = 536870912
+DACL_SECURITY_INFORMATION = 4
\ No newline at end of file
-- 
cgit v1.2.3