danielplohmann / apiscout

This project aims at simplifying Windows API import recovery on arbitrary memory dumps
BSD 2-Clause "Simplified" License
241 stars 41 forks source link

made db_builder python 3.7 compatible #17

Closed elanfer closed 4 years ago

elanfer commented 4 years ago

This PR brings python 3.7 compatibility to the ApiScout database builder.

Replaced popen2 SYSTEMINFO call by WMI procedures Since os.popen2 is no longer supported by Python3, the subrpocess.Popen module should be used instead. Due to the fact, that parsing the shell output of a process is more tricky and may produce depending on the OS (win7 vs. win10) several other issues, I decided to implement getting these information via the Windows WMI service. This brings an extra dependency, but the code is easier to understand and it should have better compatibility to the different Windows versions. I took the OS and system information via WMI, these calls do not provide information on the BIOS version and the Logon Server. These information can be retrieved via extra WMI calls, but are they needed in APIScout use cases or can we kick 'em out?

Updated pefile to the most recent version Some instructions in the last used pefile version were not fully Python 3.7 compatible, so I included the latest version from the pefile repo. Including updating the license file (which was just a year change).

Minor changes

danielplohmann commented 4 years ago

Hi Eric! Thanks a lot for the updates! I fully understand the popen2 issues and see the need for a change. I'd prefer to not have additional dependencies and would prefer a solution using built-in Python utilities as follows:

import platform
import sys

platform_info = platform.uname()
version_info = sys.getwindowsversion()

os_name = "%s %s %s (%s)" % (platform_info.system, platform_info.release, version_info.service_pack, platform_info.machine)
os_version = platform_info.version

resulting in something like:

os_name -> 'Windows 7 Service Pack 1 (AMD64)'
os_version -> '6.1.7601'

Everything else looks fine!

elanfer commented 4 years ago

Daniel, thanks for your suggestion! I was not aware that the platform module is providing such methods. I kicked the WMI import now and replaced it according to your suggestion. The last commit was successfully tested on a 64bit Win7 machine with Python 3.7.6

danielplohmann commented 4 years ago

Thanks for the changes!