process

Classes, exceptions, and methods to manipulate a process on Windows.

pyjectify.windows.core.process.getpid(process: str) list[int][source]

Get PIDs associated with a process name

Parameters:

process – Process name

Returns:

List of PIDs associated with the process name

class pyjectify.windows.core.process.ProcessHandle(pid: int, ntdll: object = None, desired_access: int = 4154)[source]

This class represents a Windows process and provides methods to manipulate it

pid: int

PID of the target process

ntdll: object

ctypes.windll.ntdll or pyjectify.windows.utils.syscall.Syscall instance or None. Determine the functions called for basic operations (WinAPI, NTDLL or direct syscalls).

handle: int

Handle to the target process

wow64: bool

Specify if the target process is a wow64 process

x86: bool

Specify if the target process runs in 32-bit mode

close() None[source]

Close the handle to the target process

query(addr: int) MEMORY_BASIC_INFORMATION[source]

Get information about a range of memory pages in the target process

Parameters:

addr – address of the range of memory pages

Returns:

The MEMORY_BASIC_INFORMATION linked to the range of memory pages

allocate(size: int, protect: int = 4, preferred_addr: int | None = None) int[source]

Allocate a region of memory in the target process

Parameters:

  • size – size of the memory region to allocate

  • protect – proctection of the allocated memory region

  • preferred_addr – preferred address for the memory region to allocate

Returns:

The address of the allocated memory region

free(addr: int, size: int = 0, flags: int = 32768) None[source]

Free a region of memory pages in the target process

Parameters:

  • addr – address of the memory region to free

  • size – size of the memory region to free (must be 0 if flag is MEM_RELEASE)

  • flags – the type of free operation

protect(addr: int, size: int, protect: int) int[source]

Change the protection on a region of memory in the target process

Parameters:

  • addr – address of the memory region

  • size – size of the memory region

  • protect – new protection to apply to the memory region

Returns:

The old protection of the memory region

read(addr: int, size: int) bytes[source]

Read an area of memory of the target process

Parameters:

  • addr – the address of the memory area to read

  • size – the size of the memory area to read

Returns:

Bytes of the memory area read

write(addr: int, data: str | bytes) None[source]

Write to an area of memory of the target process

Parameters:

  • addr – address of the memory area

  • data – bytes to write at the specified address

start_thread(addr: int, arg: int | None = None) int[source]

Start a thread in the target process

Parameters:

  • addr – address of the function

  • arg – address of the parameter to pass to the function

Returns:

A handle to the thread started

join_thread(handle: int) int[source]

Join a thread in the target process

Parameters:

handle – handle to the thread

Returns:

The exit code (32-bits) of the thread

run_funcs(funcs: list[tuple[int, int]]) list[int][source]

Run multiple functions in the same new thread

Parameters:

funcs – list of tuples (addr, arg) with each function to call with its parameter

Returns:

A list of the return values for each called function

module_from_hmodule(hmodule: int) PE[source]

Get a PE object from a handle to a module

Parameters:

hmodule – handle to the module

Returns:

A PyJectify’s PE object representing the module

get_module(lib: str) PE[source]

Get a PE object from a library loaded by the target process

Parameters:

lib – library name

Returns:

A PyJectify’s PE object representing the library

exception pyjectify.windows.core.process.WinAPIError[source]

Exception for Windows API errors