void
refresh_list(){
//List all the process
DIR *p;
struct dirent *dirp;
DIR *p2;
struct dirent *dirp2;
if ((p = opendir("/proc")) == NULL)
{
printf("cannot open proc");
return;
}
int th=0;
int x,y;
while( (dirp = readdir(p)) != NULL)
if(dirp -> d_name[0] >='0' && dirp -> d_name[0] <='9'){
//if(++th>32)break;
struct process_t pp;
open_process(dirp -> d_name,&pp);
if(strstr(pp.comm+1,pfilter)!=pp.comm+1)continue;
char buf[30];
sprintf(buf,"/proc/%s/task",dirp -> d_name);
if ((p2 = opendir(buf)) != NULL)
{
while( (dirp2= readdir(p2)) != NULL){
struct process_t p;
p.processor=-1;
open_process(dirp2 -> d_name,&p);
if(p.processor==-1)continue;
x=th%48;
y=(th/48)*32;
move(x+1,y);
print_process(&p);
th++;
}
}
}
closedir(p);
}
void grant_debug_privileges(uint32_t pid)
{
HANDLE token_handle, process_handle = open_process(pid);
if(OpenProcessToken(process_handle, TOKEN_ALL_ACCESS,
&token_handle) == 0) {
error("[-] Error obtaining process token: %ld\n", GetLastError());
}
LUID original_luid;
if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &original_luid) == 0) {
error("[-] Error obtaining original luid: %ld\n", GetLastError());
}
TOKEN_PRIVILEGES token_privileges;
token_privileges.PrivilegeCount = 1;
token_privileges.Privileges[0].Luid = original_luid;
token_privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(token_handle, FALSE, &token_privileges, 0, NULL,
NULL) == 0) {
error("[-] Error adjusting token privileges: %ld\n", GetLastError());
}
CloseHandle(token_handle);
CloseHandle(process_handle);
}
uint32_t create_thread_and_wait(uint32_t pid, void *addr, void *arg)
{
HANDLE process_handle = open_process(pid);
HANDLE thread_handle = CreateRemoteThread(process_handle, NULL, 0,
(LPTHREAD_START_ROUTINE) addr, arg, 0, NULL);
uint32_t return_value = GetLastError();
if(thread_handle == NULL && return_value == ERROR_NOT_ENOUGH_MEMORY) {
toggle_session_restriction(0);
thread_handle = CreateRemoteThread(process_handle, NULL, 0,
(LPTHREAD_START_ROUTINE) addr, arg, 0, NULL);
return_value = GetLastError();
toggle_session_restriction(1);
}
if(thread_handle == NULL) {
error("[-] Error injecting remote thread in process: %d\n",
return_value);
}
WaitForSingleObject(thread_handle, INFINITE);
DWORD exit_code;
GetExitCodeThread(thread_handle, &exit_code);
CloseHandle(thread_handle);
CloseHandle(process_handle);
return exit_code;
}
/**
* Constructs a new process object.
*
* Creates a new process object that represents a running process
* within the system.
*
* On Windows the process is opened and a handle saved. This is required
* to avoid the operating system removing process resources when the
* process exits. The handle is closed when the process instance (and all
* of its copies) is destroyed.
*/
process(pid_type id)
: id_(id)
#if defined(BOOST_WINDOWS_API)
, handle_(open_process(id))
#endif
{
}
void free_data(uint32_t pid, void *addr, uint32_t length)
{
if(addr != NULL && length != 0) {
HANDLE process_handle = open_process(pid);
VirtualFreeEx(process_handle, addr, length, MEM_RELEASE);
CloseHandle(process_handle);
}
}
extern int
start_rtrace(void) /* start rtrace process */
{
static char buf1[8];
int rmaxpack = 0;
int psiz, n;
/* get number of processes */
if (ncprocs <= 0 || nprocs > 0)
return(0);
if (ncprocs > MAXPROC) {
sprintf(errmsg,
"number of rtrace processes reduced from %d to %d",
ncprocs, MAXPROC);
error(WARNING, errmsg);
ncprocs = MAXPROC;
}
if (rtargv[rtargc-1] != vval(OCTREE)) {
/* add compulsory options */
rtargv[rtargc++] = "-i-";
rtargv[rtargc++] = "-I-";
rtargv[rtargc++] = "-h-";
rtargv[rtargc++] = "-ld-";
sprintf(buf1, "%d", RPACKSIZ);
rtargv[rtargc++] = "-x"; rtargv[rtargc++] = buf1;
rtargv[rtargc++] = "-y"; rtargv[rtargc++] = "0";
rtargv[rtargc++] = "-fff";
rtargv[rtargc++] = vbool(VDIST) ? "-ovl" : "-ovL";
if (nowarn)
rtargv[rtargc++] = "-w-";
if (ncprocs > 1) {
mktemp(pfile);
rtargv[rtargc++] = "-PP"; rtargv[rtargc++] = pfile;
}
rtargv[rtargc++] = vval(OCTREE);
rtargv[rtargc] = NULL;
}
maxqlen = 0;
for (nprocs = 0; nprocs < ncprocs; nprocs++) { /* spawn children */
psiz = open_process(&rtpd[nprocs], rtargv);
if (psiz <= 0)
error(SYSTEM, "cannot start rtrace process");
n = psiz/(RPACKSIZ*6*sizeof(float));
if (maxqlen == 0) {
if (!(maxqlen = n))
error(INTERNAL,
"bad pipe buffer size assumption");
sleep(2);
} else if (n != maxqlen)
error(INTERNAL, "varying pipe buffer size!");
rmaxpack += n;
}
rtbuf = (float *)malloc(RPACKSIZ*6*sizeof(float)*maxqlen);
if (rtbuf == NULL)
error(SYSTEM, "malloc failure in start_rtrace");
return(rmaxpack);
}
void DllInjector::inject_into_pid(int pid)
{
if (!file_exists(dll_path))
throw std::runtime_error("File '" + dll_path + "' does not exist!");
HANDLE process = open_process(pid);
void* memory_ptr = allocate_process_memory(pid, process);
write_process_memory(pid, process, memory_ptr);
HANDLE thread = create_remote_thread(pid, process, memory_ptr);
run_thread(thread);
}
void read_data(uint32_t pid, void *addr, void *data, uint32_t length)
{
HANDLE process_handle = open_process(pid);
DWORD_PTR bytes_read;
if(ReadProcessMemory(process_handle, addr, data, length,
&bytes_read) == FALSE || bytes_read != length) {
error("[-] Error reading data from process: %ld\n", GetLastError());
}
CloseHandle(process_handle);
}
int dump(uint32_t pid, const wchar_t *filepath)
{
SYSTEM_INFO si; MEMORY_BASIC_INFORMATION mbi; DWORD written_bytes;
HANDLE process_handle, file_handle; DWORD_PTR read_bytes;
uint8_t buf[0x1000]; dump_t d;
GetSystemInfo(&si);
file_handle = CreateFileW(filepath, GENERIC_WRITE, 0,
NULL, CREATE_ALWAYS, 0, NULL);
if(file_handle == NULL) {
error("[-] Error opening dump filepath: %S\n", filepath);
}
process_handle = open_process(pid);
uint8_t *ptr = si.lpMinimumApplicationAddress;
while (ptr < (uint8_t *) si.lpMaximumApplicationAddress) {
if(VirtualQueryEx(process_handle, ptr, &mbi, sizeof(mbi)) == FALSE) {
ptr += 0x1000;
continue;
}
if((mbi.State & MEM_COMMIT) == 0 || (mbi.Protect & PAGE_GUARD) != 0 ||
(mbi.Type & (MEM_IMAGE | MEM_MAPPED | MEM_PRIVATE)) == 0) {
ptr += mbi.RegionSize;
continue;
}
d.addr = (uintptr_t) ptr;
d.size = mbi.RegionSize;
d.state = mbi.State;
d.type = mbi.Type;
d.protect = mbi.Protect;
WriteFile(file_handle, &d, sizeof(d), &written_bytes, NULL);
for (uint8_t *end = ptr + mbi.RegionSize; ptr < end; ptr += 0x1000) {
if(ReadProcessMemory(process_handle, ptr, buf, sizeof(buf),
&read_bytes) == FALSE || read_bytes != sizeof(buf)) {
error("[-] Unable to read a full page?!");
}
WriteFile(file_handle, buf, sizeof(buf), &written_bytes, NULL);
}
}
CloseHandle(process_handle);
CloseHandle(file_handle);
return 0;
}
static void
startrtrace( /* start rtrace on octname */
char *octname
)
{
static char *av[12] = {"rtrace", "-h", "-fff", "-ld+",
"-opL", "-x", "1"};
int ac = 7;
if (nowarn) av[ac++] = "-w-";
av[ac++] = octname;
av[ac] = NULL;
if (open_process(&rtpd, av) <= 0)
error(SYSTEM, "cannot start rtrace process");
}
void *write_data(uint32_t pid, const void *data, uint32_t length)
{
HANDLE process_handle = open_process(pid);
void *addr = VirtualAllocEx(process_handle, NULL, length,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addr == NULL) {
error("[-] Error allocating memory in process: %ld!\n",
GetLastError());
}
DWORD_PTR bytes_written;
if(WriteProcessMemory(process_handle, addr, data, length,
&bytes_written) == FALSE || bytes_written != length) {
error("[-] Error writing data to process: %ld\n", GetLastError());
}
CloseHandle(process_handle);
return addr;
}
uint32_t start_app(uint32_t from, const wchar_t *path,
const wchar_t *arguments, const wchar_t *curdir, uint32_t *tid,
int show_window)
{
create_process_t s;
memset(&s, 0, sizeof(s));
s.si.cb = sizeof(s.si);
// Emulate explorer.exe's startupinfo flags behavior.
s.si.dwFlags = STARTF_USESHOWWINDOW;
s.si.wShowWindow = show_window;
s.create_process_w = resolve_symbol("kernel32", "CreateProcessW");
s.get_last_error = resolve_symbol("kernel32", "GetLastError");
wchar_t *cmd_line =
malloc(strsizeW(path) + strsizeW(arguments) + 4 * sizeof(wchar_t));
wsprintfW(cmd_line, L"\"%s\" %s", path, arguments);
s.filepath = write_data(from, path, strsizeW(path));
s.cmdline = write_data(from, cmd_line, strsizeW(cmd_line));
s.curdir = write_data(from, curdir, strsizeW(curdir));
create_process_t *settings_addr = write_data(from, &s, sizeof(s));
void *shellcode_addr = write_data(from, &create_process_worker, 0x1000);
uint32_t last_error =
create_thread_and_wait(from, shellcode_addr, settings_addr);
if(last_error != 0) {
error("[-] Error launching process: %d\n", last_error);
}
read_data(from, settings_addr, &s, sizeof(s));
free_data(from, s.curdir, strsizeW(curdir));
free_data(from, s.cmdline, strsizeW(cmd_line));
free_data(from, s.filepath, strsizeW(path));
free_data(from, shellcode_addr, 0x1000);
free_data(from, settings_addr, sizeof(s));
free(cmd_line);
HANDLE process_handle = open_process(from), object_handle;
if(DuplicateHandle(process_handle, s.pi.hThread, GetCurrentProcess(),
&object_handle, DUPLICATE_SAME_ACCESS, FALSE,
DUPLICATE_CLOSE_SOURCE) != FALSE) {
CloseHandle(object_handle);
}
if(DuplicateHandle(process_handle, s.pi.hProcess, GetCurrentProcess(),
&object_handle, DUPLICATE_SAME_ACCESS, FALSE,
DUPLICATE_CLOSE_SOURCE) != FALSE) {
CloseHandle(object_handle);
}
CloseHandle(process_handle);
if(tid != NULL) {
*tid = s.pi.dwThreadId;
}
return s.pi.dwProcessId;
}
extern void
disp_open( /* open the named display driver */
char *dname
)
{
char buf[sizeof(HDGRID)+512], fd0[8], fd1[8], *cmd[5], *sfn;
int i, n, len;
if (!strcmp(dname, SLAVENAME)) {
dpd.r = 0; /* read from stdin */
dpout = stdout; /* write to stdout */
dpd.running = 0; /* we're the slave procees */
} else {
/* get full display program name */
#ifdef DEVPATH
sprintf(buf, "%s/%s%s", DEVPATH, dname, HDSUF);
#else
sprintf(buf, "dev/%s%s", dname, HDSUF);
#endif
/* dup stdin and stdout */
if (readinp)
sprintf(fd0, "%d", dup(0));
else
strcpy(fd0, "-1");
sprintf(fd1, "%d", dup(1));
/* start the display process */
cmd[0] = buf;
cmd[1] = froot; cmd[2] = fd1; cmd[3] = fd0;
cmd[4] = NULL;
i = open_process(&dpd, cmd);
if (i <= 0)
error(USER, "cannot start display process");
if ((dpout = fdopen(dpd.w, "w")) == NULL)
error(SYSTEM, "problem opening display pipe");
/* close dup'ed stdin and stdout */
if (readinp)
close(atoi(fd0));
close(atoi(fd1));
}
dpd.w = -1; /* causes ignored error in close_process() */
inp_flags = 0;
/* check if outside */
if (vdef(OBSTRUCTIONS) && vbool(OBSTRUCTIONS))
disp_result(DS_OUTSECT, 0, NULL);
/* send eye separation if specified */
if (vdef(EYESEP)) {
sprintf(buf, "%.9e", vflt(EYESEP));
disp_result(DS_EYESEP, strlen(buf)+1, buf);
}
/* write out hologram grids & octrees */
for (i = 0; hdlist[i] != NULL; i++) {
memcpy(buf, (void *)hdlist[i], sizeof(HDGRID));
len = sizeof(HDGRID);
n = vdef(GEOMETRY);
sfn = i<n ? nvalue(GEOMETRY,i) :
n ? nvalue(GEOMETRY,n-1) : vval(OCTREE);
strcpy(buf+len, sfn);
len += strlen(sfn) + 1;
n = vdef(PORTS);
sfn = i<n ? nvalue(PORTS,i) : n ? nvalue(PORTS,n-1) : "";
strcpy(buf+len, sfn);
len += strlen(sfn) + 1;
disp_result(DS_ADDHOLO, len, buf);
}
disp_flush();
}
void handle_command(struct drpc_packet *pkt, char *buf)
{
unsigned long pid;
unsigned long tid;
unsigned long addr;
unsigned long len;
unsigned long sel;
unsigned long flags;
unsigned long n;
CONTEXT *ctxt;
// Validate request
if (pkt->startmark != startmark) logmsg("WARNING: unexpected startmark %08X\n", pkt->startmark);
if (pkt->reserved1 != 0) logmsg("WARNING: reserved1 is %08X\n", pkt->reserved1);
if (pkt->reserved2 != 0) logmsg("WARNING: reserved2 is %08X\n", pkt->reserved2);
if (pkt->result != 0) logmsg("WARNING: result is %08X\n", pkt->result);
// Execute command
switch (pkt->cmd)
{
case DRPC_GET_SYSTEM_VERSION:
logmsg("COMMAND GetSystemVersion: spnamelen=%d, buildnamelen=%d\n", *(unsigned long *) (buf + 0), *(unsigned long *) (buf + 8));
get_system_version(pkt, buf);
break;
case DRPC_DEBUG_BREAK:
tid = *(unsigned long *) (buf + 0);
logmsg("COMMAND DebugBreak hthread=%08X\n", tid);
pkt->result = E_FAIL;
break;
case DRPC_GET_HOST_INFO:
logmsg("COMMAND GetHostInfo: hostlen=%d, transportlen=%d\n", *(unsigned long *) (buf + 0), *(unsigned long *) (buf + 8));
get_host_info(pkt, buf);
break;
case DRPC_GET_CPU_INFO:
logmsg("COMMAND GetCpuInfo: maxlen=%d\n", *(unsigned long *) buf);
get_cpu_info(pkt, buf);
break;
case DRPC_GET_PROCESS_LIST:
logmsg("COMMAND GetProcessList: maxpids=%d\n", *(unsigned long *) buf);
get_process_list(pkt, buf);
break;
case DRPC_GET_PROCESS_NAME:
pid = *(unsigned long *) buf;
logmsg("COMMAND GetProcessName pid=%d:\n", pid);
get_process_name(pkt, buf);
break;
case DRPC_DEBUG_PROCESS:
pid = *(unsigned long *) buf;
logmsg("COMMAND DebugProcess pid=%d (%08X):\n", pid, pid);
pkt->result = E_FAIL;
break;
case DRPC_OPEN_PROCESS:
pid = *(unsigned long *) buf;
flags = *(unsigned long *) (buf + 8);
logmsg("COMMAND OpenProcess pid=%d (%08X) flags=%08X:\n", pid, pid, flags);
open_process(pkt, buf);
break;
case DRPC_CREATE_PROCESS:
pid = *(unsigned long *) buf;
logmsg("COMMAND CreateProcess: cmd=%S flags=%08X:\n", buf, *(unsigned long *)(buf + pkt->reqlen - 4));
pkt->result = E_FAIL;
break;
case DRPC_READ_PROCESS_MEMORY:
pid = *(unsigned long *) (buf + 0);
addr = *(unsigned long *) (buf + 8);
len = *(unsigned long *) (buf + 16);
logmsg("COMMAND ReadProcessMemory hproc=%08X addr=%08x len=%d:\n", pid, addr, len);
read_memory(pkt, buf);
break;
case DRPC_WRITE_PROCESS_MEMORY:
pid = *(unsigned long *) (buf + 0);
addr = *(unsigned long *) (buf + 8);
len = *(unsigned long *) (buf + 16);
logmsg("COMMAND WriteProcessMemory hproc=%08X addr=%08x len=%d:\n", pid, addr, len);
write_memory(pkt, buf);
break;
case DRPC_SUSPEND_THREAD:
len = *(unsigned long *) (buf + 0);
logmsg("COMMAND SuspendThread: hthread=");
for (n = 0; n < len; n++)
{
tid = *(unsigned long *) (buf + 8 + n * 8);
logmsg(" %08X", tid);
}
logmsg("\n");
suspend_threads(pkt, buf);
break;
case DRPC_RESUME_THREAD:
len = *(unsigned long *) (buf + 0);
logmsg("COMMAND ResumeThread: hthread=");
for (n = 0; n < len; n++)
{
tid = *(unsigned long *) (buf + 8 + n * 8);
logmsg(" %08X", tid);
}
logmsg("\n");
resume_threads(pkt, buf);
break;
case DRPC_GET_THREAD_CONTEXT:
tid = *(unsigned long *) (buf + 0);
flags = *(unsigned long *) (buf + 8);
len = *(unsigned long *) (buf + 16);
logmsg("COMMAND GetThreadContext hthread=%08X context=%08x len=%d:\n", tid, flags, len);
get_context(pkt, buf);
break;
case DRPC_SET_THREAD_CONTEXT:
tid = *(unsigned long *) (buf + 0);
len = *(unsigned long *) (buf + 8);
ctxt = (CONTEXT *) (buf + 12);
logmsg("COMMAND SetThreadContext hthread=%08X eax=%08x len=%d:\n", tid, ctxt->Eax, len);
set_context(pkt, buf);
break;
case DRPC_GET_PEB_ADDRESS:
pid = *(unsigned long *) (buf + 0);
logmsg("COMMAND GetPebAddress hproc=%08X:\n", pid);
get_peb_address(pkt, buf);
break;
case DRPC_GET_THREAD_SELECTOR:
tid = *(unsigned long *) (buf + 0);
sel = *(unsigned long *) (buf + 8);
len = *(unsigned long *) (buf + 12);
logmsg("COMMAND GetThreadSelector hthread=%08X selector=%08x len=%08x:\n", tid, sel, len);
get_thread_selector(pkt, buf);
break;
case DRPC_GET_DEBUG_EVENT:
logmsg("COMMAND GetDebugEvent %08X %08X:\n", *(unsigned long *) buf, *(unsigned long *) (buf + 4));
get_debug_event(pkt, buf);
break;
case DRPC_CONTINUE_DEBUG_EVENT:
flags = *(unsigned long *) buf;
if (flags == 0x00010001)
logmsg("COMMAND ContinueDebugEvent: DBG_EXCEPTION_HANDLED\n");
else if (flags == 0x00010002)
logmsg("COMMAND ContinueDebugEvent: DBG_CONTINUE\n");
else
logmsg("COMMAND ContinueDebugEvent: %08X\n", flags);
break;
case 0x0000C001:
logmsg("COMMAND 0000C001\n");
pkt->result = dbg_state;
break;
case 0x0004C002:
logmsg("COMMAND 0004C002\n");
*(unsigned long *) buf = 5;
break;
default:
logmsg("COMMAND %08X ??? (reqlen=%d, rsplen=%d):\n", pkt->cmd, pkt->reqlen, pkt->rsplen);
if (pkt->reqlen > 0)
{
logmsg("reqdata: ");
dump_data(stdout, buf, pkt->reqlen > 256 ? 256 : pkt->reqlen, 4, NULL);
if (logfile) dump_data(logfile, buf, pkt->reqlen, 4, NULL);
}
pkt->result = E_FAIL;
}
pkt->cmd |= 0x00010000;
}
