/*
* Returns a list of all of the loaded image files and their base addresses to
* the requestor.
*
* req: TLV_TYPE_HANDLE - The process handle to enumerate the images of
*/
DWORD request_sys_process_image_get_images(Remote *remote, Packet *packet)
{
BOOL (WINAPI *enumProcessModules)(HANDLE p, HMODULE *mod, DWORD cb, LPDWORD needed);
DWORD (WINAPI *getModuleBaseName)(HANDLE p, HMODULE mod, LPTSTR base,
DWORD baseSize);
DWORD (WINAPI *getModuleFileNameEx)(HANDLE p, HMODULE mod, LPTSTR path,
DWORD pathSize);
Packet *response = packet_create_response(packet);
HMODULE *modules = NULL;
BOOLEAN valid = FALSE;
HANDLE psapi = NULL;
HANDLE handle;
DWORD result = ERROR_SUCCESS;
DWORD needed = 0, actual, tries = 0;
DWORD index;
handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
do
{
// No response? No sense.
if (!response)
break;
// Open the process API
if (!(psapi = LoadLibrary("psapi")))
break;
// Try to resolve the address of EnumProcessModules
if (!((LPVOID)enumProcessModules =
(LPVOID)GetProcAddress(psapi, "EnumProcessModules")))
break;
// Try to resolve the address of GetModuleBaseNameA
if (!((LPVOID)getModuleBaseName =
(LPVOID)GetProcAddress(psapi, "GetModuleBaseNameA")))
break;
// Try to resolve the address of GetModuleFileNameExA
if (!((LPVOID)getModuleFileNameEx =
(LPVOID)GetProcAddress(psapi, "GetModuleFileNameExA")))
break;
// Validate parameters
if (!handle)
{
result = ERROR_INVALID_PARAMETER;
break;
}
// The current actual size of the array in bytes
actual = sizeof(HMODULE) * 512;
do
{
// Free previous storage
if (modules)
free(modules);
// Allocate storage for the array
modules = (HMODULE *)malloc(actual);
// Try to enumerate the image's modules
if (enumProcessModules(handle, modules, actual, &needed))
{
valid = TRUE;
break;
}
} while ((actual < needed) &&
(tries++ < 3));
// If we failed to succeed...
if (!valid)
{
result = GetLastError();
break;
}
// Enumerate through all of the modules...
for (index = 0;
index < needed / sizeof(HMODULE);
index++)
{
char path[1024], name[512];
DWORD base = 0;
Tlv tlvs[3];
memset(name, 0, sizeof(name));
memset(path, 0, sizeof(path));
// Query for base name and file name
if ((!getModuleBaseName(handle, modules[index], name,
sizeof(name) - 1)) ||
(!getModuleFileNameEx(handle, modules[index], path,
sizeof(path) - 1)))
{
result = GetLastError();
break;
}
base = htonl((DWORD)modules[index]);
tlvs[0].header.length = sizeof(HMODULE);
tlvs[0].header.type = TLV_TYPE_IMAGE_BASE;
tlvs[0].buffer = (PUCHAR)&base;
tlvs[1].header.length = (DWORD)strlen(path) + 1;
tlvs[1].header.type = TLV_TYPE_IMAGE_FILE_PATH;
tlvs[1].buffer = (PUCHAR)path;
tlvs[2].header.length = (DWORD)strlen(name) + 1;
tlvs[2].header.type = TLV_TYPE_IMAGE_NAME;
tlvs[2].buffer = (PUCHAR)name;
packet_add_tlv_group(response, TLV_TYPE_IMAGE_GROUP, tlvs, 3);
}
} while (0);
// Transmit the response
packet_transmit_response(result, remote, response);
// Cleanup
if (modules)
free(modules);
// Close the psapi library and clean up
if (psapi)
FreeLibrary(psapi);
return ERROR_SUCCESS;
}
/*
* Returns information about the supplied process handle.
*
* req: TLV_TYPE_HANDLE - The handle to gather information from.
*/
DWORD request_sys_process_get_info(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
#ifdef _WIN32
BOOL (WINAPI *enumProcessModules)(HANDLE p, HMODULE *mod, DWORD cb,
LPDWORD needed);
DWORD (WINAPI *getModuleBaseName)(HANDLE p, HMODULE mod, LPTSTR base,
DWORD baseSize);
DWORD (WINAPI *getModuleFileNameEx)(HANDLE p, HMODULE mod, LPTSTR path,
DWORD pathSize);
HMODULE mod;
HANDLE psapi = NULL;
HANDLE handle;
DWORD result = ERROR_SUCCESS;
DWORD needed;
CHAR path[1024], name[256];
handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
do
{
// Valid response?
if (!response)
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
// Valid parameters?
if (!handle)
{
result = ERROR_INVALID_PARAMETER;
break;
}
// Open the process API
if (!(psapi = LoadLibrary("psapi")))
{
result = GetLastError();
break;
}
// Try to resolve the necessary symbols
if ((!((LPVOID)enumProcessModules =
(LPVOID)GetProcAddress(psapi, "EnumProcessModules"))) ||
(!((LPVOID)getModuleBaseName =
(LPVOID)GetProcAddress(psapi, "GetModuleBaseNameA"))) ||
(!((LPVOID)getModuleFileNameEx =
(LPVOID)GetProcAddress(psapi, "GetModuleFileNameExA"))))
{
result = GetLastError();
break;
}
memset(name, 0, sizeof(name));
memset(path, 0, sizeof(path));
// Enumerate the first module in the process and get its base name
if ((!enumProcessModules(handle, &mod, sizeof(mod), &needed) ||
(getModuleBaseName(handle, mod, name, sizeof(name) - 1) == 0)))
{
result = GetLastError();
break;
}
// Try to get the process' file name
getModuleFileNameEx(handle, mod, path, sizeof(path) - 1);
// Set the process' information on the response
packet_add_tlv_string(response, TLV_TYPE_PROCESS_NAME, name);
packet_add_tlv_string(response, TLV_TYPE_PROCESS_PATH, path);
} while (0);
// Transmit the response
packet_transmit_response(ERROR_SUCCESS, remote, response);
// Close the psapi library and clean up
if (psapi)
FreeLibrary(psapi);
#else
packet_transmit_response(ERROR_NOT_SUPPORTED, remote, response);
#endif
return ERROR_SUCCESS;
}
