static BOOLEAN NTAPI PhpCsrProcessHandlesCallback( _In_ PPH_CSR_HANDLE_INFO Handle, _In_opt_ PVOID Context ) { NTSTATUS status; BOOLEAN cont = TRUE; PCSR_HANDLES_CONTEXT context = Context; HANDLE processHandle; KERNEL_USER_TIMES times; PPH_STRING fileName; PH_HIDDEN_PROCESS_ENTRY entry; entry.ProcessId = Handle->ProcessId; if (NT_SUCCESS(status = PhOpenProcessByCsrHandle( &processHandle, ProcessQueryAccess, Handle ))) { if (NT_SUCCESS(status = PhGetProcessTimes( processHandle, × )) && NT_SUCCESS(status = PhGetProcessImageFileName( processHandle, &fileName ))) { entry.FileName = PhGetFileName(fileName); PhDereferenceObject(fileName); if (times.ExitTime.QuadPart != 0) entry.Type = TerminatedProcess; else if (PhFindItemList(context->Pids, Handle->ProcessId) != -1) entry.Type = NormalProcess; else entry.Type = HiddenProcess; if (!context->Callback(&entry, context->Context)) cont = FALSE; PhDereferenceObject(entry.FileName); } NtClose(processHandle); } if (!NT_SUCCESS(status)) { entry.FileName = NULL; entry.Type = UnknownProcess; if (!context->Callback(&entry, context->Context)) cont = FALSE; } return cont; }
static VOID PhpRefreshProcessList( _In_ HWND hwndDlg, _In_ PCHOOSE_PROCESS_DIALOG_CONTEXT Context ) { NTSTATUS status; HWND lvHandle; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; lvHandle = Context->ListViewHandle; ListView_DeleteAllItems(lvHandle); ImageList_RemoveAll(Context->ImageList); if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) { PhShowStatus(hwndDlg, L"Unable to enumerate processes", status, 0); return; } ExtendedListView_SetRedraw(lvHandle, FALSE); process = PH_FIRST_PROCESS(processes); do { INT lvItemIndex; PPH_STRING name; HANDLE processHandle; PPH_STRING fileName = NULL; HICON icon = NULL; WCHAR processIdString[PH_INT32_STR_LEN_1]; PPH_STRING userName = NULL; INT imageIndex; if (process->UniqueProcessId != SYSTEM_IDLE_PROCESS_ID) name = PhCreateStringFromUnicodeString(&process->ImageName); else name = PhCreateString(SYSTEM_IDLE_PROCESS_NAME); lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, name->Buffer, process->UniqueProcessId); PhDereferenceObject(name); if (NT_SUCCESS(PhOpenProcess(&processHandle, ProcessQueryAccess, process->UniqueProcessId))) { HANDLE tokenHandle; PTOKEN_USER user; if (!WINDOWS_HAS_IMAGE_FILE_NAME_BY_PROCESS_ID && process->UniqueProcessId != SYSTEM_PROCESS_ID) PhGetProcessImageFileName(processHandle, &fileName); if (NT_SUCCESS(PhOpenProcessToken(&tokenHandle, TOKEN_QUERY, processHandle))) { if (NT_SUCCESS(PhGetTokenUser(tokenHandle, &user))) { userName = PhGetSidFullName(user->User.Sid, TRUE, NULL); PhFree(user); } NtClose(tokenHandle); } NtClose(processHandle); } if (process->UniqueProcessId == SYSTEM_IDLE_PROCESS_ID && !userName && PhLocalSystemName) PhSetReference(&userName, PhLocalSystemName); if (WINDOWS_HAS_IMAGE_FILE_NAME_BY_PROCESS_ID && process->UniqueProcessId != SYSTEM_PROCESS_ID) PhGetProcessImageFileNameByProcessId(process->UniqueProcessId, &fileName); if (process->UniqueProcessId == SYSTEM_PROCESS_ID) fileName = PhGetKernelFileName(); if (fileName) PhMoveReference(&fileName, PhGetFileName(fileName)); icon = PhGetFileShellIcon(PhGetString(fileName), L".exe", FALSE); // Icon if (icon) { imageIndex = ImageList_AddIcon(Context->ImageList, icon); PhSetListViewItemImageIndex(Context->ListViewHandle, lvItemIndex, imageIndex); DestroyIcon(icon); } // PID PhPrintUInt32(processIdString, HandleToUlong(process->UniqueProcessId)); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, processIdString); // User Name PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, PhGetString(userName)); if (userName) PhDereferenceObject(userName); if (fileName) PhDereferenceObject(fileName); } while (process = PH_NEXT_PROCESS(process)); PhFree(processes); ExtendedListView_SortItems(lvHandle); ExtendedListView_SetRedraw(lvHandle, TRUE); }
/** * Determines the type of a process based on its image file name. * * \param ProcessHandle A handle to a process. * \param KnownProcessType A variable which receives the process * type. */ NTSTATUS PhGetProcessKnownType( __in HANDLE ProcessHandle, __out PH_KNOWN_PROCESS_TYPE *KnownProcessType ) { NTSTATUS status; PH_KNOWN_PROCESS_TYPE knownProcessType; PROCESS_BASIC_INFORMATION basicInfo; PH_STRINGREF systemRootPrefix; PPH_STRING fileName; PPH_STRING newFileName; PH_STRINGREF name; #ifdef _M_X64 BOOLEAN isWow64 = FALSE; #endif if (!NT_SUCCESS(status = PhGetProcessBasicInformation( ProcessHandle, &basicInfo ))) return status; if (basicInfo.UniqueProcessId == SYSTEM_PROCESS_ID) { *KnownProcessType = SystemProcessType; return STATUS_SUCCESS; } PhGetSystemRoot(&systemRootPrefix); if (!NT_SUCCESS(status = PhGetProcessImageFileName( ProcessHandle, &fileName ))) { return status; } newFileName = PhGetFileName(fileName); PhDereferenceObject(fileName); name = newFileName->sr; knownProcessType = UnknownProcessType; if (PhStartsWithStringRef(&name, &systemRootPrefix, TRUE)) { // Skip the system root, and we now have three cases: // 1. \\xyz.exe - Windows executable. // 2. \\System32\\xyz.exe - system32 executable. // 3. \\SysWow64\\xyz.exe - system32 executable + WOW64. name.Buffer += systemRootPrefix.Length / 2; name.Length -= systemRootPrefix.Length; if (PhEqualStringRef2(&name, L"\\explorer.exe", TRUE)) { knownProcessType = ExplorerProcessType; } else if ( PhStartsWithStringRef2(&name, L"\\System32", TRUE) #ifdef _M_X64 || (PhStartsWithStringRef2(&name, L"\\SysWow64", TRUE) && (isWow64 = TRUE, TRUE)) // ugly but necessary #endif ) { // SysTem32 and SysWow64 are both 8 characters long. name.Buffer += 9; name.Length -= 9 * 2; if (FALSE) ; // Dummy else if (PhEqualStringRef2(&name, L"\\smss.exe", TRUE)) knownProcessType = SessionManagerProcessType; else if (PhEqualStringRef2(&name, L"\\csrss.exe", TRUE)) knownProcessType = WindowsSubsystemProcessType; else if (PhEqualStringRef2(&name, L"\\wininit.exe", TRUE)) knownProcessType = WindowsStartupProcessType; else if (PhEqualStringRef2(&name, L"\\services.exe", TRUE)) knownProcessType = ServiceControlManagerProcessType; else if (PhEqualStringRef2(&name, L"\\lsass.exe", TRUE)) knownProcessType = LocalSecurityAuthorityProcessType; else if (PhEqualStringRef2(&name, L"\\lsm.exe", TRUE)) knownProcessType = LocalSessionManagerProcessType; else if (PhEqualStringRef2(&name, L"\\winlogon.exe", TRUE)) knownProcessType = WindowsLogonProcessType; else if (PhEqualStringRef2(&name, L"\\svchost.exe", TRUE)) knownProcessType = ServiceHostProcessType; else if (PhEqualStringRef2(&name, L"\\rundll32.exe", TRUE)) knownProcessType = RunDllAsAppProcessType; else if (PhEqualStringRef2(&name, L"\\dllhost.exe", TRUE)) knownProcessType = ComSurrogateProcessType; else if (PhEqualStringRef2(&name, L"\\taskeng.exe", TRUE)) knownProcessType = TaskHostProcessType; else if (PhEqualStringRef2(&name, L"\\taskhost.exe", TRUE)) knownProcessType = TaskHostProcessType; } } PhDereferenceObject(newFileName); #ifdef _M_X64 if (isWow64) knownProcessType |= KnownProcessWow64; #endif *KnownProcessType = knownProcessType; return status; }
NTSTATUS PhpEnumHiddenProcessesBruteForce( _In_ PPH_ENUM_HIDDEN_PROCESSES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; PPH_LIST pids; ULONG pid; BOOLEAN stop = FALSE; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) return status; pids = PhCreateList(40); process = PH_FIRST_PROCESS(processes); do { PhAddItemList(pids, process->UniqueProcessId); } while (process = PH_NEXT_PROCESS(process)); PhFree(processes); for (pid = 8; pid <= 65536; pid += 4) { NTSTATUS status2; HANDLE processHandle; PH_HIDDEN_PROCESS_ENTRY entry; KERNEL_USER_TIMES times; PPH_STRING fileName; status2 = PhOpenProcess( &processHandle, ProcessQueryAccess, UlongToHandle(pid) ); if (NT_SUCCESS(status2)) { entry.ProcessId = UlongToHandle(pid); if (NT_SUCCESS(status2 = PhGetProcessTimes( processHandle, × )) && NT_SUCCESS(status2 = PhGetProcessImageFileName( processHandle, &fileName ))) { entry.FileName = PhGetFileName(fileName); PhDereferenceObject(fileName); if (times.ExitTime.QuadPart != 0) entry.Type = TerminatedProcess; else if (PhFindItemList(pids, UlongToHandle(pid)) != -1) entry.Type = NormalProcess; else entry.Type = HiddenProcess; if (!Callback(&entry, Context)) stop = TRUE; PhDereferenceObject(entry.FileName); } NtClose(processHandle); } // Use an alternative method if we don't have sufficient access. if (status2 == STATUS_ACCESS_DENIED && WindowsVersion >= WINDOWS_VISTA) { if (NT_SUCCESS(status2 = PhGetProcessImageFileNameByProcessId(UlongToHandle(pid), &fileName))) { entry.ProcessId = UlongToHandle(pid); entry.FileName = PhGetFileName(fileName); PhDereferenceObject(fileName); if (PhFindItemList(pids, UlongToHandle(pid)) != -1) entry.Type = NormalProcess; else entry.Type = HiddenProcess; if (!Callback(&entry, Context)) stop = TRUE; PhDereferenceObject(entry.FileName); } } if (status2 == STATUS_INVALID_CID || status2 == STATUS_INVALID_PARAMETER) status2 = STATUS_SUCCESS; if (!NT_SUCCESS(status2)) { entry.ProcessId = UlongToHandle(pid); entry.FileName = NULL; entry.Type = UnknownProcess; if (!Callback(&entry, Context)) stop = TRUE; } if (stop) break; } PhDereferenceObject(pids); return status; }
static VOID DbgProcessLogMessageEntry( _Inout_ PPH_DBGEVENTS_CONTEXT Context, _In_ BOOLEAN GlobalEvents ) { NTSTATUS status; PDBWIN_PAGE_BUFFER debugMessageBuffer; PDEBUG_LOG_ENTRY entry = NULL; HANDLE processHandle = NULL; PPH_STRING fileName = NULL; HICON icon = NULL; debugMessageBuffer = GlobalEvents ? Context->GlobalDebugBuffer : Context->LocalDebugBuffer; entry = PhAllocate(sizeof(DEBUG_LOG_ENTRY)); memset(entry, 0, sizeof(DEBUG_LOG_ENTRY)); PhQuerySystemTime(&entry->Time); entry->ProcessId = UlongToHandle(debugMessageBuffer->ProcessId); entry->Message = PhConvertMultiByteToUtf16(debugMessageBuffer->Buffer); if (WINDOWS_HAS_IMAGE_FILE_NAME_BY_PROCESS_ID) { status = PhGetProcessImageFileNameByProcessId(entry->ProcessId, &fileName); } else { if (NT_SUCCESS(status = PhOpenProcess(&processHandle, ProcessQueryAccess, entry->ProcessId))) { status = PhGetProcessImageFileName(processHandle, &fileName); NtClose(processHandle); } } if (!NT_SUCCESS(status)) fileName = PhGetKernelFileName(); PhSwapReference2(&fileName, PhGetFileName(fileName)); icon = PhGetFileShellIcon(PhGetString(fileName), L".exe", TRUE); if (icon) { entry->ImageIndex = ImageList_AddIcon(Context->ListViewImageList, icon); DestroyIcon(icon); } entry->FilePath = fileName; entry->ProcessName = PhGetBaseName(fileName); // Drop event if it matches a filter for (ULONG i = 0; i < Context->ExcludeList->Count; i++) { PDBG_FILTER_TYPE filterEntry = Context->ExcludeList->Items[i]; if (filterEntry->Type == FilterByName) { if (PhEqualString(filterEntry->ProcessName, entry->ProcessName, TRUE)) { DbgFreeLogEntry(entry); return; } } else if (filterEntry->Type == FilterByPid) { if (filterEntry->ProcessId == entry->ProcessId) { DbgFreeLogEntry(entry); return; } } } DbgAddLogEntry(Context, entry); }