atomicshop 2.15.11__py3-none-any.whl → 3.10.5__py3-none-any.whl

atomicshop/wrappers/ctyping/etw_winapi/const.py

@@ -11,10 +11,14 @@ EVENT_CONTROL_CODE_ENABLE_PROVIDER = 1
 
 MAXIMUM_LOGGERS = 64
 ULONG64 = ctypes.c_uint64
+UCHAR = ctypes.c_ubyte
 
 INVALID_HANDLE_VALUE = ctypes.c_void_p(-1).value
 TRACEHANDLE = ULONG64
 
+PROCESS_TRACE_MODE_EVENT_RECORD = 0x10000000     # new event-record callback
+PROCESS_TRACE_MODE_REAL_TIME = 0x00000100
+INVALID_PROCESSTRACE_HANDLE = 0xFFFFFFFFFFFFFFFF  # Often -1 in 64-bit
 
 
 """
@@ -69,10 +73,7 @@ class EVENT_TRACE_PROPERTIES(ctypes.Structure):
         ("RealTimeBuffersLost", wintypes.ULONG),
         ("LoggerThreadId", wintypes.HANDLE),
         ("LogFileNameOffset", wintypes.ULONG),
-        ("LoggerNameOffset", wintypes.ULONG),
-        # Allocate space for the names at the end of the structure
-        ("_LoggerName", wintypes.WCHAR * 1024),
-        ("_LogFileName", wintypes.WCHAR * 1024)
+        ("LoggerNameOffset", wintypes.ULONG)
     ]
 
 
@@ -183,55 +184,59 @@ class EVENT_HEADER(ctypes.Structure):
         ("RelatedActivityId", GUID),
     ]
 
+
+class ETW_BUFFER_CONTEXT(ctypes.Structure):
+    _fields_ = [('ProcessorNumber', ctypes.c_ubyte),
+                ('Alignment', ctypes.c_ubyte),
+                ('LoggerId', ctypes.c_ushort)]
+
+
+class EVENT_HEADER_EXTENDED_DATA_ITEM(ctypes.Structure):
+    _fields_ = [
+        ('Reserved1', ctypes.c_ushort),
+        ('ExtType', ctypes.c_ushort),
+        ('Linkage', ctypes.c_ushort),    # struct{USHORT :1, USHORT :15}
+        ('DataSize', ctypes.c_ushort),
+        ('DataPtr', ctypes.c_ulonglong)
+    ]
+
+
 class EVENT_RECORD(ctypes.Structure):
     _fields_ = [
-        ("EventHeader", EVENT_HEADER),
-        ("BufferContext", wintypes.ULONG),
-        ("ExtendedDataCount", wintypes.USHORT),
-        ("UserDataLength", wintypes.USHORT),
-        ("ExtendedData", wintypes.LPVOID),
-        ("UserData", wintypes.LPVOID),
-        ("UserContext", wintypes.LPVOID)
+        ('EventHeader', EVENT_HEADER),
+        ('BufferContext', ETW_BUFFER_CONTEXT),
+        ('ExtendedDataCount', ctypes.c_ushort),
+        ('UserDataLength', ctypes.c_ushort),
+        ('ExtendedData', ctypes.POINTER(EVENT_HEADER_EXTENDED_DATA_ITEM)),
+        ('UserData', ctypes.c_void_p),
+        ('UserContext', ctypes.c_void_p)
     ]
 
 
-# class EVENT_TRACE_LOGFILE(ctypes.Structure):
-#     _fields_ = [
-#         ("LogFileName", wintypes.LPWSTR),
-#         ("LoggerName", wintypes.LPWSTR),
-#         ("CurrentTime", wintypes.LARGE_INTEGER),
-#         ("BuffersRead", wintypes.ULONG),
-#         ("ProcessTraceMode", wintypes.ULONG),
-#         ("EventRecordCallback", wintypes.LPVOID),
-#         ("BufferSize", wintypes.ULONG),
-#         ("Filled", wintypes.ULONG),
-#         ("EventsLost", wintypes.ULONG),
-#         ("BuffersLost", wintypes.ULONG),
-#         ("RealTimeBuffersLost", wintypes.ULONG),
-#         ("LogBuffersLost", wintypes.ULONG),
-#         ("BuffersWritten", wintypes.ULONG),
-#         ("LogFileMode", wintypes.ULONG),
-#         ("IsKernelTrace", wintypes.ULONG),
-#         ("Context", wintypes.ULONG)  # Placeholder for context pointer
-#     ]
+class EVENT_TRACE_LOGFILE(ctypes.Structure):
+    pass
+
+
+EVENT_RECORD_CALLBACK = ctypes.WINFUNCTYPE(None, ctypes.POINTER(EVENT_RECORD))
+EVENT_TRACE_BUFFER_CALLBACK = ctypes.WINFUNCTYPE(ctypes.c_ulong, ctypes.POINTER(EVENT_TRACE_LOGFILE))
 
 
 class EVENT_TRACE_LOGFILE(ctypes.Structure):
     _fields_ = [
-        ("LogFileName", wintypes.LPWSTR),
-        ("LoggerName", wintypes.LPWSTR),
-        ("CurrentTime", wintypes.LARGE_INTEGER),
-        ("BuffersRead", wintypes.ULONG),
-        ("ProcessTraceMode", wintypes.ULONG),
-        ("CurrentEvent", EVENT_RECORD),
-        ("LogfileHeader", TRACE_LOGFILE_HEADER),
-        ("BufferCallback", wintypes.LPVOID),
-        ("BufferSize", wintypes.ULONG),
-        ("Filled", wintypes.ULONG),
-        ("EventsLost", wintypes.ULONG),
-        ("EventCallback", ctypes.c_void_p),
-        ("IsKernelTrace", wintypes.ULONG),
-        ("Context", wintypes.LPVOID)
+        ('LogFileName', ctypes.c_wchar_p),
+        ('LoggerName', ctypes.c_wchar_p),
+        ('CurrentTime', ctypes.c_longlong),
+        ('BuffersRead', ctypes.c_ulong),
+        ('ProcessTraceMode', ctypes.c_ulong),
+        ('CurrentEvent', EVENT_TRACE),
+        ('LogfileHeader', TRACE_LOGFILE_HEADER),
+        ('BufferCallback', EVENT_TRACE_BUFFER_CALLBACK),
+        ('BufferSize', ctypes.c_ulong),
+        ('Filled', ctypes.c_ulong),
+        ('EventsLost', ctypes.c_ulong),
+        ('EventRecordCallback', EVENT_RECORD_CALLBACK),
+        ('IsKernelTrace', ctypes.c_ulong),
+        ('Context', ctypes.c_void_p)
     ]
 
 
@@ -255,7 +260,7 @@ class PROVIDER_INFORMATION(ctypes.Structure):
 
 
 # Load the necessary library
-advapi32 = ctypes.WinDLL('advapi32')
+advapi32 = ctypes.WinDLL("advapi32", use_last_error=True)
 tdh = ctypes.windll.tdh
 
 # Define necessary TDH functions
@@ -263,6 +268,46 @@ tdh.TdhEnumerateProviders.argtypes = [ctypes.POINTER(PROVIDER_ENUMERATION_INFO),
 tdh.TdhEnumerateProviders.restype = ULONG
 
 
+# Make sure StartTraceW has proper argtypes (if not set in consts)
+StartTrace = advapi32.StartTraceW
+StartTrace.argtypes = [
+    ctypes.POINTER(TRACEHANDLE),
+    wintypes.LPCWSTR,
+    ctypes.POINTER(EVENT_TRACE_PROPERTIES)
+]
+StartTrace.restype = wintypes.ULONG
+
+
+class EVENT_FILTER_DESCRIPTOR(ctypes.Structure):
+    _fields_ = [('Ptr', ctypes.c_ulonglong),
+                ('Size', ctypes.c_ulong),
+                ('Type', ctypes.c_ulong)]
+
+
+class ENABLE_TRACE_PARAMETERS(ctypes.Structure):
+    _fields_ = [
+        ('Version', ctypes.c_ulong),
+            ('EnableProperty', ctypes.c_ulong),
+            ('ControlFlags', ctypes.c_ulong),
+            ('SourceId', GUID),
+            ('EnableFilterDesc', ctypes.POINTER(EVENT_FILTER_DESCRIPTOR)),
+            ('FilterDescCount', ctypes.c_ulong)
+    ]
+
+
+EnableTraceEx2 = advapi32.EnableTraceEx2
+EnableTraceEx2.argtypes = [
+    TRACEHANDLE,                                # TraceHandle (c_uint64)
+    ctypes.POINTER(GUID),                       # ProviderId
+    ctypes.c_ulong,                             # ControlCode
+    ctypes.c_char,                              # Level
+    ctypes.c_ulonglong,                         # MatchAnyKeyword
+    ctypes.c_ulonglong,                         # MatchAllKeyword
+    ctypes.c_ulong,                             # Timeout
+    ctypes.POINTER(ENABLE_TRACE_PARAMETERS)]    # PENABLE_TRACE_PARAMETERS (optional) -> None or pointer
+EnableTraceEx2.restype = ctypes.c_ulong
+
+
 # Define the function prototype
 QueryAllTraces = advapi32.QueryAllTracesW
 QueryAllTraces.argtypes = [
@@ -277,8 +322,13 @@ OpenTrace.argtypes = [ctypes.POINTER(EVENT_TRACE_LOGFILE)]
 OpenTrace.restype = wintypes.ULONG
 
 ProcessTrace = advapi32.ProcessTrace
-ProcessTrace.argtypes = [ctypes.POINTER(wintypes.ULONG), wintypes.ULONG, wintypes.LARGE_INTEGER, wintypes.LARGE_INTEGER]
-ProcessTrace.restype = wintypes.ULONG
+ProcessTrace.argtypes = [
+    ctypes.POINTER(ctypes.c_uint64),  # pointer to array of 64-bit handles
+    wintypes.ULONG,     # handle count
+    ctypes.c_void_p,           # LPFILETIME (start)
+    ctypes.c_void_p            # LPFILETIME (end)
+]
+ProcessTrace.restype  = wintypes.ULONG
 
 CloseTrace = advapi32.CloseTrace
 CloseTrace.argtypes = [wintypes.ULONG]

atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py

@@ -1,5 +1,5 @@
 import ctypes
-from ctypes import wintypes
+import queue
 from ctypes.wintypes import ULONG
 import uuid
 from typing import Literal
@@ -34,7 +34,7 @@ def start_etw_session(
         provider_name_list: list = None,
         verbosity_mode: int = 4,
         maximum_buffers: int = 38
-):
+) -> const.TRACEHANDLE:
     """
     Start an ETW session and enable the specified provider.
 
@@ -77,57 +77,89 @@ def start_etw_session(
         for provider_name in provider_name_list:
             provider_guid_list.append(providers.get_provider_guid_by_name(provider_name))
 
-    properties_size = ctypes.sizeof(const.EVENT_TRACE_PROPERTIES) + (2 * wintypes.MAX_PATH)
-    properties = (ctypes.c_byte * properties_size)()
-    properties_ptr = ctypes.cast(properties, ctypes.POINTER(const.EVENT_TRACE_PROPERTIES))
-
-    # Initialize the EVENT_TRACE_PROPERTIES structure
-    properties_ptr.contents.Wnode.BufferSize = properties_size
-    properties_ptr.contents.Wnode.Guid = const.GUID()
-    properties_ptr.contents.Wnode.Flags = const.WNODE_FLAG_TRACED_GUID
-    properties_ptr.contents.Wnode.ClientContext = 1   # QPC clock resolution
-    properties_ptr.contents.BufferSize = 1024
-    properties_ptr.contents.MinimumBuffers = 1
-    properties_ptr.contents.MaximumBuffers = maximum_buffers
-    properties_ptr.contents.MaximumFileSize = 0
-    properties_ptr.contents.LogFileMode = const.EVENT_TRACE_REAL_TIME_MODE
-    properties_ptr.contents.FlushTimer = 1
-    properties_ptr.contents.EnableFlags = 0
-
-    # Start the ETW session
-    session_handle = wintypes.HANDLE()
-    status = ctypes.windll.advapi32.StartTraceW(
-        ctypes.byref(session_handle),
-        ctypes.c_wchar_p(session_name),
-        properties_ptr
-    )
+        # (1) Allocate a buffer large enough for EVENT_TRACE_PROPERTIES + space for 2 strings
+        #     The typical approach is to allow enough space for:
+        #       - The structure
+        #       - The "LoggerName" string
+        #       - The "LogFileName" string (even if we don't use it, we must leave offset space)
+        #
+        props_size = ctypes.sizeof(const.EVENT_TRACE_PROPERTIES)
+        # Add space for 2 x 1024 wide-chars (one for LoggerName, one for LogFileName)
+        # Each wide char = ctypes.sizeof(ctypes.c_wchar).
+        props_size += (2 * 1024 * ctypes.sizeof(ctypes.c_wchar))  # for logger name
+        props_size += (2 * 1024 * ctypes.sizeof(ctypes.c_wchar))  # for log file name
+
+        properties_buffer = ctypes.create_string_buffer(props_size)
+        properties_ptr = ctypes.cast(properties_buffer, ctypes.POINTER(const.EVENT_TRACE_PROPERTIES))
+        props = properties_ptr.contents
+
+        # (2) Fill in basic fields
+        props.Wnode.BufferSize = props_size
+        props.Wnode.Flags = const.WNODE_FLAG_TRACED_GUID  # 0x00020000
+        props.Wnode.ClientContext = 1  # QPC clock
+        props.BufferSize = 1024
+        props.MinimumBuffers = 1
+        props.MaximumBuffers = maximum_buffers
+        props.MaximumFileSize = 0
+        props.LogFileMode = const.EVENT_TRACE_REAL_TIME_MODE  # real-time
+        props.FlushTimer = 1
+        props.EnableFlags = 0
+
+        # (3) Indicate where in this allocated buffer the strings should go
+        struct_size = ctypes.sizeof(const.EVENT_TRACE_PROPERTIES)
+        props.LoggerNameOffset = struct_size
+        props.LogFileNameOffset = struct_size + (2 * 1024 * ctypes.sizeof(ctypes.c_wchar))
+
+        # (4) Copy the session name into the LoggerName space
+        logger_name_address = ctypes.addressof(properties_buffer) + props.LoggerNameOffset
+        session_name_wchar = ctypes.create_unicode_buffer(session_name)
+        ctypes.memmove(
+            logger_name_address,
+            session_name_wchar,
+            len(session_name) * ctypes.sizeof(ctypes.c_wchar)
+        )
 
-    if status != 0:
-        if status == 183:
-            raise ETWSessionExists(f"ETW session [{session_name}] already exists")
-        else:
-            raise Exception(f"StartTraceW failed with error {status}")
-
-    # Enable each provider
-    for provider_guid in provider_guid_list:
-        provider_guid_struct = _string_to_guid(provider_guid)
-        status = ctypes.windll.advapi32.EnableTraceEx2(
-            session_handle,
-            ctypes.byref(provider_guid_struct),
-            const.EVENT_CONTROL_CODE_ENABLE_PROVIDER,
-            verbosity_mode,
-            0,
-            0,
-            0,
-            None
+        # (5) Start the session
+        session_handle = const.TRACEHANDLE(0)
+        status = const.StartTrace(
+            ctypes.byref(session_handle),
+            session_name,  # The session name as an LPCWSTR
+            properties_ptr  # pointer to EVENT_TRACE_PROPERTIES
         )
 
         if status != 0:
-            raise Exception(f"EnableTraceEx2 failed for provider {provider_guid} with error {status}")
-
-    print("ETW session started successfully")
-
-    return session_handle
+            # 183 => ERROR_ALREADY_EXISTS
+            if status == 183:
+                raise ETWSessionExists(f"ETW session [{session_name}] already exists")
+            else:
+                raise Exception(f"StartTraceW failed with error code {status}")
+
+        # (6) If we have providers to enable, enable each
+        if provider_guid_list:
+            for guid_str in provider_guid_list:
+                guid_struct = _string_to_guid(guid_str)
+
+                # Typically you'd do something like:
+                #   advapi32.EnableTraceEx2(TRACEHANDLE, PGUID, CONTROL_CODE, LEVEL, KW, KW, TIMEOUT, FILTER)
+
+                enable_status = const.EnableTraceEx2(
+                    session_handle,  # The session handle
+                    ctypes.byref(guid_struct),  # The provider GUID
+                    const.EVENT_CONTROL_CODE_ENABLE_PROVIDER,  # 1 => enable
+                    verbosity_mode,  # level
+                    0xFFFFFFFFFFFFFFFF, # matchAnyKeyword
+                    0,  # matchAllKeyword
+                    0,  # timeout
+                    None  # enableParameters (optional)
+                )
+
+                if enable_status != 0:
+                    raise Exception(
+                        f"EnableTraceEx2 failed for provider {guid_str} (error={enable_status})"
+                    )
+
+        print(f"ETW session '{session_name}' started successfully.")
+        return session_handle
 
 
 # Function to stop and delete ETW session
@@ -165,6 +197,103 @@ def stop_and_delete_etw_session(session_name: str) -> tuple[bool, int]:
         return True, status
 
 
+@const.EVENT_CALLBACK_TYPE
+def _default_callback(
+        event_record_ptr
+):
+    """
+    This function will be called by Windows for every incoming ETW event.
+    'event_record_ptr' is a pointer to an EVENT_RECORD structure.
+    """
+    # Convert pointer to a Python EVENT_RECORD object
+    event_record = event_record_ptr.contents
+
+    # Do something with event_record (e.g., parse via TDH)
+    print("Received an ETW event!", event_record.EventHeader.ProviderId)
+
+
+def start_etw_consumer(
+        session_name: str,
+        record_queue: queue.Queue
+):
+    """
+    Attach to an existing real-time ETW session by 'session_name'
+    using the "new" EVENT_RECORD callback approach.
+    This call blocks until the ETW session is stopped or an error occurs.
+    """
+    # 1) Create a closure callback that references the queue
+    #    We define an inner function that sees 'record_queue' from outer scope.
+    #    Then we wrap that in EVENT_CALLBACK_TYPE.
+    if record_queue is not None:
+        @const.EVENT_CALLBACK_TYPE
+        def _queue_callback(event_record_ptr):
+            event_record = event_record_ptr.contents
+            # # Example: put a simple dict with the provider ID & possibly more info
+            # record_queue.put({
+            #     "provider_id": str(event_record.EventHeader.ProviderId),
+            #     "process_id": event_record.EventHeader.ProcessId,
+            #     "thread_id": event_record.EventHeader.ThreadId,
+            #     # ... more fields or parse them with TdhGetEventInformation, etc.
+            # })
+            print("Received an ETW event!", event_record.EventHeader.ProviderId)
+            record_queue.put(event_record)
+    else:
+        _queue_callback = _default_callback
+
+    # Keep a reference to the callback so Python doesn't GC it.
+    start_etw_consumer._callback_ref = _queue_callback
+
+    # Prepare the EVENT_TRACE_LOGFILE structure
+    logfile = const.EVENT_TRACE_LOGFILE()
+    # You can also do: logfile.LoggerName = session_name
+    # If you assign session_name (a Python str), ctypes automatically converts it to a temporary c_wchar_p under the hood.
+    # logfile.LoggerName = ctypes.c_wchar_p(session_name)
+    logfile.LoggerName = session_name
+    logfile.LogFileName = None  # Real-time, not from a file
+    logfile.ProcessTraceMode = (const.PROCESS_TRACE_MODE_REAL_TIME | const.PROCESS_TRACE_MODE_EVENT_RECORD)
+
+    # Point to our Python callback
+    logfile.EventRecordCallback = const.EVENT_RECORD_CALLBACK(_default_callback)
+
+    # Open the trace
+    trace_handle = const.OpenTrace(ctypes.byref(logfile))
+    if trace_handle == const.INVALID_PROCESSTRACE_HANDLE:
+        error_code = ctypes.get_last_error()
+        raise OSError(f"OpenTrace failed with error code: {error_code}")
+
+    # trace_handle is actually an unsigned long, but in 64-bit it's a 64-bit handle.
+    # We'll create an array of one handle for ProcessTrace:
+    trace_handle_array = (ctypes.c_uint64 * 1)(trace_handle)
+
+    # Blocking call - will not return until the session is stopped (or error).
+    status = const.ProcessTrace(
+        trace_handle_array,
+        1,  # HandleCount = 1
+        None,  # StartTime = None
+        None  # EndTime = None
+    )
+    if status != 0:
+        raise OSError(f"ProcessTrace failed with error code: {status}")
+
+    print("ProcessTrace returned. ETW consumer finished.")
+
+
+def start_etw_consumer_in_thread(
+        session_name: str,
+        record_queue: queue.Queue
+):
+    """
+    Start an ETW consumer in a separate thread.
+    """
+    import threading
+
+    def _start_etw_consumer():
+        start_etw_consumer(session_name, record_queue)
+
+    thread = threading.Thread(target=_start_etw_consumer)
+    thread.start()
+
+
 def get_all_providers(key_as: Literal['name', 'guid'] = 'name') -> dict:
     """
     Get all ETW providers available on the system.

atomicshop/wrappers/ctyping/file_details_winapi.py

@@ -0,0 +1,67 @@
+import os
+import ctypes
+import pefile
+
+
+def get_file_properties(file_path: str) -> dict:
+    """
+    Retrieve file version properties using ctypes.
+
+    :param file_path: Full path to the file.
+    :return: Dictionary with file properties.
+    """
+
+    def query_value(name):
+        r = ctypes.c_void_p()
+        l = ctypes.c_uint()
+        ctypes.windll.version.VerQueryValueW(
+            res, f"\\StringFileInfo\\040904b0\\{name}", ctypes.byref(r), ctypes.byref(l))
+        return ctypes.wstring_at(r) if r.value else "N/A"
+
+    properties = {
+        "FileDescription": "N/A",
+        "FileVersion": "N/A",
+        "ProductName": "N/A",
+        "ProductVersion": "N/A",
+    }
+
+    if not os.path.isfile(file_path):
+        return properties
+
+    # Load version information
+    size = ctypes.windll.version.GetFileVersionInfoSizeW(file_path, None)
+    if size == 0:
+        return properties
+
+    res = ctypes.create_string_buffer(size)
+    ctypes.windll.version.GetFileVersionInfoW(file_path, None, size, res)
+
+    properties["FileDescription"] = query_value("FileDescription")
+    properties["FileVersion"] = query_value("FileVersion")
+    properties["ProductName"] = query_value("ProductName")
+    properties["ProductVersion"] = query_value("ProductVersion")
+
+    # Fallback to pefile if ctypes fails or returns, pefile is much slower but more reliable, so we only use it as a fallback.
+    if properties["FileDescription"] == "N/A" or properties["FileVersion"] == "N/A":
+        pe = pefile.PE(file_path)
+        version_info = pe.VS_FIXEDFILEINFO
+        if version_info:
+            # If version_info is a list, take the first valid entry
+            if isinstance(version_info, list):
+                version_info = version_info[0]
+
+            properties["FileVersion"] = f"{version_info.FileVersionMS >> 16}.{version_info.FileVersionMS & 0xFFFF}.{version_info.FileVersionLS >> 16}.{version_info.FileVersionLS & 0xFFFF}"
+        # Attempt to get additional metadata
+        for entry in pe.FileInfo or []:
+            for structure in entry:
+                if hasattr(structure, "StringTable"):
+                    for string_table in structure.StringTable:
+                        for key, value in string_table.entries.items():
+                            if key == b"FileDescription":
+                                properties["FileDescription"] = value.decode("utf-8", errors="ignore")
+                            elif key == b"ProductName":
+                                properties["ProductName"] = value.decode("utf-8", errors="ignore")
+                            elif key == b"ProductVersion":
+                                properties["ProductVersion"] = value.decode("utf-8", errors="ignore")
+
+    return properties

atomicshop/wrappers/ctyping/msi_windows_installer/cabs.py

@@ -1,8 +1,9 @@
 import os
 from pathlib import Path
 
+from dkarchiver.arch_wrappers import sevenz_app_w
+
 from . import tables
-from ....archiver import sevenz_app_w
 
 
 def resolve_directory_path(directory_info, directory_key):

atomicshop/wrappers/ctyping/msi_windows_installer/extract_msi_main.py

@@ -1,12 +1,12 @@
 import os
-import sys
 import argparse
 
+from dkarchiver.arch_wrappers import sevenz_app_w
+
 from .base import msi
 from . import base, tables, cabs
 from ... import olefilew
 from ....print_api import print_api
-from ....archiver import sevenz_app_w
 
 
 # Directory names.