Skip to content

Instantly share code, notes, and snippets.

@Aetopia

Aetopia/detect if running conhost.py

Created June 13, 2022 04:59
Show Gist options
  • Save Aetopia/eb11c1b0dd46893bd90b4d66a1265a76 to your computer and use it in GitHub Desktop.
Save Aetopia/eb11c1b0dd46893bd90b4d66a1265a76 to your computer and use it in GitHub Desktop.
Download ZIP
Process Traceback + Detect if using Conhost.
Raw
detect if running conhost.py
from wmi import WMI
from os import getpid
pid = getpid()
Win32_Process = WMI().Win32_Process()
conhost = ()
is_conhost = False
def process_traceback(pid: int):
processes, length = (), [None, None]
while True:
length[0] = len(processes)
for process in Win32_Process:
if process.ProcessID == pid:
pid = process.ParentProcessId
yield {'exe': process.name, 'pid': process.ProcessID}
processes += '',
length[1] = len(processes)
if length[0] is length[1]:
break
processes = tuple(process_traceback(pid))
print(processes)
for x in Win32_Process:
if x.Name == 'conhost.exe':
conhost += x.ParentProcessID,
for a in processes:
for b in conhost:
if a['pid'] == b:
print(a['exe'])
is_conhost = True
break
if is_conhost:
print('Likely conhost.exe')
else:
print('Not conhost.exe')
Raw
process_traceback.py
from wmi import WMI
Win32_Process = WMI().Win32_Process()
def process_traceback(pid: int):
processes, length = (), [None, None]
while True:
length[0] = len(processes)
for process in Win32_Process:
if process.ProcessID == pid:
pid = process.ParentProcessId
yield {'exe': process.name, 'pid': process.ProcessID}
processes += '',
length[1] = len(processes)
if length[0] is length[1]:
break
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment