Add system.architecture & process.architecture

Author: hakril

ctypes_generation/definitions/defines/processor.txt

@@ -0,0 +1,38 @@
+#define PROCESSOR_INTEL_386     386
+#define PROCESSOR_INTEL_486     486
+#define PROCESSOR_INTEL_PENTIUM 586
+#define PROCESSOR_INTEL_IA64    2200
+#define PROCESSOR_MIPS_R4000    4000    // incl R4101 & R3910 for Windows CE
+#define PROCESSOR_ALPHA_21064   21064
+#define PROCESSOR_PPC_601       601
+#define PROCESSOR_PPC_603       603
+#define PROCESSOR_PPC_604       604
+#define PROCESSOR_PPC_620       620
+#define PROCESSOR_HITACHI_SH3   10003   // Windows CE
+#define PROCESSOR_HITACHI_SH3E  10004   // Windows CE
+#define PROCESSOR_HITACHI_SH4   10005   // Windows CE
+#define PROCESSOR_MOTOROLA_821  821     // Windows CE
+#define PROCESSOR_SHx_SH3       103     // Windows CE
+#define PROCESSOR_SHx_SH4       104     // Windows CE
+#define PROCESSOR_STRONGARM     2577    // Windows CE - 0xA11
+#define PROCESSOR_ARM720        1824    // Windows CE - 0x720
+#define PROCESSOR_ARM820        2080    // Windows CE - 0x820
+#define PROCESSOR_ARM920        2336    // Windows CE - 0x920
+#define PROCESSOR_ARM_7TDMI     70001   // Windows CE
+#define PROCESSOR_OPTIL         0x494f  // MSIL
+
+#define PROCESSOR_ARCHITECTURE_INTEL            0
+#define PROCESSOR_ARCHITECTURE_MIPS             1
+#define PROCESSOR_ARCHITECTURE_ALPHA            2
+#define PROCESSOR_ARCHITECTURE_PPC              3
+#define PROCESSOR_ARCHITECTURE_SHX              4
+#define PROCESSOR_ARCHITECTURE_ARM              5
+#define PROCESSOR_ARCHITECTURE_IA64             6
+#define PROCESSOR_ARCHITECTURE_ALPHA64          7
+#define PROCESSOR_ARCHITECTURE_MSIL             8
+#define PROCESSOR_ARCHITECTURE_AMD64            9
+#define PROCESSOR_ARCHITECTURE_IA32_ON_WIN64    10
+#define PROCESSOR_ARCHITECTURE_NEUTRAL          11
+#define PROCESSOR_ARCHITECTURE_ARM64            12
+#define PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64   13
+#define PROCESSOR_ARCHITECTURE_UNKNOWN          0xFFFF

ctypes_generation/definitions/defines/windef_pe.txt

@@ -100,4 +100,6 @@
 #define IMAGE_FILE_MACHINE_AMD64             0x8664
 #define IMAGE_FILE_MACHINE_M32R              0x9041
 #define IMAGE_FILE_MACHINE_CEE               0xC0EE
-#define IMAGE_FILE_MACHINE_ARM64             0xAA64
+#define IMAGE_FILE_MACHINE_ARM64             0xAA64
+
+#define IMAGE_FILE_MACHINE_TARGET_HOST      0x0001  // Useful for indicating we want to interact with the host and not a WoW guest.

docs/source/windef_generated.rst

@@ -1145,6 +1145,43 @@ WinDef
 .. autodata:: NMPWAIT_WAIT_FOREVER
 .. autodata:: NMPWAIT_NOWAIT
 .. autodata:: NMPWAIT_USE_DEFAULT_WAIT
+.. autodata:: PROCESSOR_INTEL_386
+.. autodata:: PROCESSOR_INTEL_486
+.. autodata:: PROCESSOR_INTEL_PENTIUM
+.. autodata:: PROCESSOR_INTEL_IA64
+.. autodata:: PROCESSOR_MIPS_R4000
+.. autodata:: PROCESSOR_ALPHA_21064
+.. autodata:: PROCESSOR_PPC_601
+.. autodata:: PROCESSOR_PPC_603
+.. autodata:: PROCESSOR_PPC_604
+.. autodata:: PROCESSOR_PPC_620
+.. autodata:: PROCESSOR_HITACHI_SH3
+.. autodata:: PROCESSOR_HITACHI_SH3E
+.. autodata:: PROCESSOR_HITACHI_SH4
+.. autodata:: PROCESSOR_MOTOROLA_821
+.. autodata:: PROCESSOR_SHx_SH3
+.. autodata:: PROCESSOR_SHx_SH4
+.. autodata:: PROCESSOR_STRONGARM
+.. autodata:: PROCESSOR_ARM720
+.. autodata:: PROCESSOR_ARM820
+.. autodata:: PROCESSOR_ARM920
+.. autodata:: PROCESSOR_ARM_7TDMI
+.. autodata:: PROCESSOR_OPTIL
+.. autodata:: PROCESSOR_ARCHITECTURE_INTEL
+.. autodata:: PROCESSOR_ARCHITECTURE_MIPS
+.. autodata:: PROCESSOR_ARCHITECTURE_ALPHA
+.. autodata:: PROCESSOR_ARCHITECTURE_PPC
+.. autodata:: PROCESSOR_ARCHITECTURE_SHX
+.. autodata:: PROCESSOR_ARCHITECTURE_ARM
+.. autodata:: PROCESSOR_ARCHITECTURE_IA64
+.. autodata:: PROCESSOR_ARCHITECTURE_ALPHA64
+.. autodata:: PROCESSOR_ARCHITECTURE_MSIL
+.. autodata:: PROCESSOR_ARCHITECTURE_AMD64
+.. autodata:: PROCESSOR_ARCHITECTURE_IA32_ON_WIN64
+.. autodata:: PROCESSOR_ARCHITECTURE_NEUTRAL
+.. autodata:: PROCESSOR_ARCHITECTURE_ARM64
+.. autodata:: PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64
+.. autodata:: PROCESSOR_ARCHITECTURE_UNKNOWN
 .. autodata:: HKEY_CLASSES_ROOT
 .. autodata:: HKEY_CURRENT_USER
 .. autodata:: HKEY_LOCAL_MACHINE
@@ -2922,6 +2959,7 @@ WinDef
 .. autodata:: IMAGE_FILE_MACHINE_M32R
 .. autodata:: IMAGE_FILE_MACHINE_CEE
 .. autodata:: IMAGE_FILE_MACHINE_ARM64
+.. autodata:: IMAGE_FILE_MACHINE_TARGET_HOST
 .. autodata:: CERT_QUERY_OBJECT_FILE
 .. autodata:: CERT_QUERY_OBJECT_BLOB
 .. autodata:: CERT_QUERY_CONTENT_CERT

tests/test_syswow.py

@@ -17,8 +17,9 @@ def test_print_syswow_state():
     print(f"{platform.machine()=}")
     print(f"{platform.architecture()=}")
     print(f"{windows.system.bitness=}")
+    print(f"{windows.system.architecture=}")
     print(f"{windows.current_process.bitness=}")
-    print(f"{windows.current_process.is_wow_64=}")
+    print(f"{windows.current_process.architecture=}")
     print(f"{env['PROCESSOR_ARCHITECTURE']=}")
     print(f"{env.get('PROCESSOR_ARCHITEW6432')=}")
 
@@ -30,12 +31,6 @@ def test_print_syswow_state():
     print(f"{hex(processMachine.value)=}")
     print(f"{hex(nativeMachine.value)=}")
 
-    print("")
-    print("GetSystemInfo")
-    windows.utils.sprint(windows.utils.get_system_info(native=False), name="SystemInfo")
-    print("")
-    print("GetNativeSystemInfo")
-    windows.utils.sprint(windows.utils.get_system_info(native=True), name="NativeSystemInfo")
 
 @process_syswow_only
 class TestSyswowCurrentProcess(object):

windows/generated_def/__init__.py

@@ -67,5 +67,57 @@ def bitness():
 from .windef import *
 from .interfaces import *
 
-
+# Define custom Flag mappers for define list that should be enums
+
+PROCESSOR_ARCHITECTURE_MAPPER = FlagMapper(
+    PROCESSOR_ARCHITECTURE_INTEL,
+    PROCESSOR_ARCHITECTURE_MIPS,
+    PROCESSOR_ARCHITECTURE_ALPHA,
+    PROCESSOR_ARCHITECTURE_PPC,
+    PROCESSOR_ARCHITECTURE_SHX,
+    PROCESSOR_ARCHITECTURE_ARM,
+    PROCESSOR_ARCHITECTURE_IA64,
+    PROCESSOR_ARCHITECTURE_ALPHA64,
+    PROCESSOR_ARCHITECTURE_MSIL,
+    PROCESSOR_ARCHITECTURE_AMD64,
+    PROCESSOR_ARCHITECTURE_IA32_ON_WIN64,
+    PROCESSOR_ARCHITECTURE_NEUTRAL,
+    PROCESSOR_ARCHITECTURE_ARM64,
+    PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64,
+    PROCESSOR_ARCHITECTURE_UNKNOWN,
+    IMAGE_FILE_MACHINE_TARGET_HOST
+)
+
+IMAGE_FILE_MACHINE_MAPPER = FlagMapper(
+    IMAGE_FILE_MACHINE_UNKNOWN,
+    IMAGE_FILE_MACHINE_I386,
+    IMAGE_FILE_MACHINE_R3000,
+    IMAGE_FILE_MACHINE_R4000,
+    IMAGE_FILE_MACHINE_R10000,
+    IMAGE_FILE_MACHINE_WCEMIPSV2,
+    IMAGE_FILE_MACHINE_ALPHA,
+    IMAGE_FILE_MACHINE_SH3,
+    IMAGE_FILE_MACHINE_SH3DSP,
+    IMAGE_FILE_MACHINE_SH3E,
+    IMAGE_FILE_MACHINE_SH4,
+    IMAGE_FILE_MACHINE_SH5,
+    IMAGE_FILE_MACHINE_ARM,
+    IMAGE_FILE_MACHINE_THUMB,
+    IMAGE_FILE_MACHINE_ARMNT,
+    IMAGE_FILE_MACHINE_AM33,
+    IMAGE_FILE_MACHINE_POWERPC,
+    IMAGE_FILE_MACHINE_POWERPCFP,
+    IMAGE_FILE_MACHINE_IA64,
+    IMAGE_FILE_MACHINE_MIPS16,
+    IMAGE_FILE_MACHINE_ALPHA64,
+    IMAGE_FILE_MACHINE_MIPSFPU,
+    IMAGE_FILE_MACHINE_MIPSFPU16,
+    IMAGE_FILE_MACHINE_TRICORE,
+    IMAGE_FILE_MACHINE_CEF,
+    IMAGE_FILE_MACHINE_EBC,
+    IMAGE_FILE_MACHINE_AMD64,
+    IMAGE_FILE_MACHINE_M32R,
+    IMAGE_FILE_MACHINE_CEE,
+    IMAGE_FILE_MACHINE_ARM64
+)
 

windows/generated_def/meta.py

@@ -1722,6 +1722,7 @@
 'IMAGE_FILE_MACHINE_SH3E',
 'IMAGE_FILE_MACHINE_SH4',
 'IMAGE_FILE_MACHINE_SH5',
+'IMAGE_FILE_MACHINE_TARGET_HOST',
 'IMAGE_FILE_MACHINE_THUMB',
 'IMAGE_FILE_MACHINE_TRICORE',
 'IMAGE_FILE_MACHINE_UNKNOWN',
@@ -2421,7 +2422,44 @@
 'PRIORITY_BIT',
 'PRIORITY_EQUAL_FIRST',
 'PRIORITY_EQUAL_LAST',
+'PROCESSOR_ALPHA_21064',
+'PROCESSOR_ARCHITECTURE_ALPHA',
+'PROCESSOR_ARCHITECTURE_ALPHA64',
+'PROCESSOR_ARCHITECTURE_AMD64',
+'PROCESSOR_ARCHITECTURE_ARM',
+'PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64',
+'PROCESSOR_ARCHITECTURE_ARM64',
+'PROCESSOR_ARCHITECTURE_IA32_ON_WIN64',
+'PROCESSOR_ARCHITECTURE_IA64',
+'PROCESSOR_ARCHITECTURE_INTEL',
+'PROCESSOR_ARCHITECTURE_MIPS',
+'PROCESSOR_ARCHITECTURE_MSIL',
+'PROCESSOR_ARCHITECTURE_NEUTRAL',
+'PROCESSOR_ARCHITECTURE_PPC',
+'PROCESSOR_ARCHITECTURE_SHX',
+'PROCESSOR_ARCHITECTURE_UNKNOWN',
+'PROCESSOR_ARM720',
+'PROCESSOR_ARM820',
+'PROCESSOR_ARM920',
+'PROCESSOR_ARM_7TDMI',
 'PROCESSOR_FEATURE_MAX',
+'PROCESSOR_HITACHI_SH3',
+'PROCESSOR_HITACHI_SH3E',
+'PROCESSOR_HITACHI_SH4',
+'PROCESSOR_INTEL_386',
+'PROCESSOR_INTEL_486',
+'PROCESSOR_INTEL_IA64',
+'PROCESSOR_INTEL_PENTIUM',
+'PROCESSOR_MIPS_R4000',
+'PROCESSOR_MOTOROLA_821',
+'PROCESSOR_OPTIL',
+'PROCESSOR_PPC_601',
+'PROCESSOR_PPC_603',
+'PROCESSOR_PPC_604',
+'PROCESSOR_PPC_620',
+'PROCESSOR_SHx_SH3',
+'PROCESSOR_SHx_SH4',
+'PROCESSOR_STRONGARM',
 'PROCESS_ALL_ACCESS',
 'PROCESS_CREATE_PROCESS',
 'PROCESS_CREATE_THREAD',

windows/generated_def/windef.py

@@ -1169,6 +1169,43 @@ def HRESULT_FACILITY(hr):
 NMPWAIT_WAIT_FOREVER = make_flag("NMPWAIT_WAIT_FOREVER", 0xffffffff)
 NMPWAIT_NOWAIT = make_flag("NMPWAIT_NOWAIT", 0x00000001)
 NMPWAIT_USE_DEFAULT_WAIT = make_flag("NMPWAIT_USE_DEFAULT_WAIT", 0x00000000)
+PROCESSOR_INTEL_386 = make_flag("PROCESSOR_INTEL_386", 386)
+PROCESSOR_INTEL_486 = make_flag("PROCESSOR_INTEL_486", 486)
+PROCESSOR_INTEL_PENTIUM = make_flag("PROCESSOR_INTEL_PENTIUM", 586)
+PROCESSOR_INTEL_IA64 = make_flag("PROCESSOR_INTEL_IA64", 2200)
+PROCESSOR_MIPS_R4000 = make_flag("PROCESSOR_MIPS_R4000", 4000)
+PROCESSOR_ALPHA_21064 = make_flag("PROCESSOR_ALPHA_21064", 21064)
+PROCESSOR_PPC_601 = make_flag("PROCESSOR_PPC_601", 601)
+PROCESSOR_PPC_603 = make_flag("PROCESSOR_PPC_603", 603)
+PROCESSOR_PPC_604 = make_flag("PROCESSOR_PPC_604", 604)
+PROCESSOR_PPC_620 = make_flag("PROCESSOR_PPC_620", 620)
+PROCESSOR_HITACHI_SH3 = make_flag("PROCESSOR_HITACHI_SH3", 10003)
+PROCESSOR_HITACHI_SH3E = make_flag("PROCESSOR_HITACHI_SH3E", 10004)
+PROCESSOR_HITACHI_SH4 = make_flag("PROCESSOR_HITACHI_SH4", 10005)
+PROCESSOR_MOTOROLA_821 = make_flag("PROCESSOR_MOTOROLA_821", 821)
+PROCESSOR_SHx_SH3 = make_flag("PROCESSOR_SHx_SH3", 103)
+PROCESSOR_SHx_SH4 = make_flag("PROCESSOR_SHx_SH4", 104)
+PROCESSOR_STRONGARM = make_flag("PROCESSOR_STRONGARM", 2577)
+PROCESSOR_ARM720 = make_flag("PROCESSOR_ARM720", 1824)
+PROCESSOR_ARM820 = make_flag("PROCESSOR_ARM820", 2080)
+PROCESSOR_ARM920 = make_flag("PROCESSOR_ARM920", 2336)
+PROCESSOR_ARM_7TDMI = make_flag("PROCESSOR_ARM_7TDMI", 70001)
+PROCESSOR_OPTIL = make_flag("PROCESSOR_OPTIL", 0x494f)
+PROCESSOR_ARCHITECTURE_INTEL = make_flag("PROCESSOR_ARCHITECTURE_INTEL", 0)
+PROCESSOR_ARCHITECTURE_MIPS = make_flag("PROCESSOR_ARCHITECTURE_MIPS", 1)
+PROCESSOR_ARCHITECTURE_ALPHA = make_flag("PROCESSOR_ARCHITECTURE_ALPHA", 2)
+PROCESSOR_ARCHITECTURE_PPC = make_flag("PROCESSOR_ARCHITECTURE_PPC", 3)
+PROCESSOR_ARCHITECTURE_SHX = make_flag("PROCESSOR_ARCHITECTURE_SHX", 4)
+PROCESSOR_ARCHITECTURE_ARM = make_flag("PROCESSOR_ARCHITECTURE_ARM", 5)
+PROCESSOR_ARCHITECTURE_IA64 = make_flag("PROCESSOR_ARCHITECTURE_IA64", 6)
+PROCESSOR_ARCHITECTURE_ALPHA64 = make_flag("PROCESSOR_ARCHITECTURE_ALPHA64", 7)
+PROCESSOR_ARCHITECTURE_MSIL = make_flag("PROCESSOR_ARCHITECTURE_MSIL", 8)
+PROCESSOR_ARCHITECTURE_AMD64 = make_flag("PROCESSOR_ARCHITECTURE_AMD64", 9)
+PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 = make_flag("PROCESSOR_ARCHITECTURE_IA32_ON_WIN64", 10)
+PROCESSOR_ARCHITECTURE_NEUTRAL = make_flag("PROCESSOR_ARCHITECTURE_NEUTRAL", 11)
+PROCESSOR_ARCHITECTURE_ARM64 = make_flag("PROCESSOR_ARCHITECTURE_ARM64", 12)
+PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64 = make_flag("PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64", 13)
+PROCESSOR_ARCHITECTURE_UNKNOWN = make_flag("PROCESSOR_ARCHITECTURE_UNKNOWN", 0xFFFF)
 HKEY_CLASSES_ROOT = make_flag("HKEY_CLASSES_ROOT", ( 0x80000000 ))
 HKEY_CURRENT_USER = make_flag("HKEY_CURRENT_USER", ( 0x80000001 ))
 HKEY_LOCAL_MACHINE = make_flag("HKEY_LOCAL_MACHINE", ( 0x80000002 ))
@@ -2946,6 +2983,7 @@ def HRESULT_FACILITY(hr):
 IMAGE_FILE_MACHINE_M32R = make_flag("IMAGE_FILE_MACHINE_M32R", 0x9041)
 IMAGE_FILE_MACHINE_CEE = make_flag("IMAGE_FILE_MACHINE_CEE", 0xC0EE)
 IMAGE_FILE_MACHINE_ARM64 = make_flag("IMAGE_FILE_MACHINE_ARM64", 0xAA64)
+IMAGE_FILE_MACHINE_TARGET_HOST = make_flag("IMAGE_FILE_MACHINE_TARGET_HOST", 0x0001)
 CERT_QUERY_OBJECT_FILE = make_flag("CERT_QUERY_OBJECT_FILE", 0x00000001)
 CERT_QUERY_OBJECT_BLOB = make_flag("CERT_QUERY_OBJECT_BLOB", 0x00000002)
 CERT_QUERY_CONTENT_CERT = make_flag("CERT_QUERY_CONTENT_CERT", 1)

windows/winobject/process.py

@@ -64,14 +64,30 @@ def exit_code(self):
 
 
 class Process(utils.AutoHandle):
-    @utils.fixedpropety
+    @utils.fixedproperty
     def is_wow_64(self):
         """``True`` if the process is a SysWow64 process (32bit process on 64bits system).
 
         :type: :class:`bool`
 		"""
-        # return utils.is_wow_64(self.handle)
-        return utils.is_wow_64(self.limited_handle)
+        if not windows.winproxy.is_implemented(windows.winproxy.IsWow64Process):
+            return False
+        Wow64Process = gdef.BOOL()
+        windows.winproxy.IsWow64Process(self.handle, Wow64Process)
+        return bool(Wow64Process)
+
+
+
+    @utils.fixedproperty
+    def is_wow_64_2(self):
+        if not windows.winproxy.is_implemented(windows.winproxy.IsWow64Process2):
+            return None, None
+        processMachine = gdef.USHORT()
+        nativeMachine = gdef.USHORT()
+        windows.winproxy.IsWow64Process2(self.handle, processMachine, nativeMachine)
+        return (gdef.IMAGE_FILE_MACHINE_MAPPER[processMachine.value],
+                gdef.IMAGE_FILE_MACHINE_MAPPER[nativeMachine.value])
+
 
     @utils.fixedpropety
     def bitness(self):
@@ -85,6 +101,22 @@ def bitness(self):
             return 32
         return 64
 
+    @utils.fixedproperty
+    def architecture(self):
+        # Syswow2 will exactly tell us the architecture
+        if windows.winproxy.is_implemented(windows.winproxy.IsWow64Process2):
+            process_machine, native_machine = self.is_wow_64_2
+            try:
+                return utils.image_file_machine_to_processor_architecture(process_machine)
+            except KeyError as e:
+                raise ValueError("Unknown IsWow64Process2(process_machine:#x) -> {0}".format(process_machine))
+
+        # No IsWow64Process2 -> No ARM64
+        # So its up on x86 -> x64 based on process bitness
+        if self.bitness == 32:
+            return gdef.PROCESSOR_ARCHITECTURE_INTEL
+        return gdef.PROCESSOR_ARCHITECTURE_AMD64
+
     @utils.fixedpropety
     def limited_handle(self):
         if windows.system.version[0] <= 5:
@@ -648,7 +680,7 @@ def peb(self):
 		"""
         return PEB.from_address(self.get_peb_builtin()())
 
-    @utils.fixedpropety
+    @utils.fixedproperty
     def bitness(self):
         """The bitness of the process
 

windows/winobject/system.py

@@ -10,7 +10,6 @@
 import windows.generated_def as gdef
 
 
-
 from windows.winobject import process
 from windows.winobject import network
 from windows.winobject import registry
@@ -586,6 +585,24 @@ def kuser_shared_data(self):
         # These are the part that do not move much between XP & Win10
         return gdef.PFW_MINIMAL_KUSER_SHARED_DATA.from_address(gdef.MM_SHARED_USER_DATA_VA)
 
+    @utils.fixedproperty
+    def architecture(self):
+        # Retrieve system processor architecture
+        # It's not that easy as x64-on-ARM64 will lie on most API except IsWow64Process2
+        # EX: GetNativeSystemInfo will returns PROCESSOR_ARCHITECTURE_AMD64
+        if windows.winproxy.is_implemented(windows.winproxy.IsWow64Process2):
+            process_machine, native_machine = windows.current_process.is_wow_64_2
+            try:
+                return utils.image_file_machine_to_processor_architecture(native_machine)
+            except KeyError as e:
+                raise ValueError("Unknown IsWow64Process2(native_machine:#x) -> {0}".format(native_machine))
+
+        # No IsWow64Process2 -> assert it cannot be ARM64 and thus GetNativeSystemInfo will not lie ?
+        sysinfo = gdef.SYSTEM_INFO()
+        windows.winproxy.GetNativeSystemInfo(sysinfo)
+        return gdef.PROCESSOR_ARCHITECTURE_MAPPER[sysinfo.wProcessorArchitecture]
+
+
 
     @staticmethod
     def enumerate_processes():