DWORD GetPidFromProcessHandle(HANDLE process_handle)
{
PROCESS_BASIC_INFORMATION pbi = {}; ULONG ulSize;
LONG (WINAPI *NtQueryInformationProcess)(HANDLE ProcessHandle,
ULONG ProcessInformationClass, PVOID ProcessInformation,
ULONG ProcessInformationLength, PULONG ReturnLength);
*(FARPROC *) &NtQueryInformationProcess = GetProcAddress(
LoadLibrary("ntdll"), "NtQueryInformationProcess");
if(NtQueryInformationProcess != NULL && NtQueryInformationProcess(
process_handle, 0, &pbi, sizeof(pbi), &ulSize) >= 0 &&
ulSize == sizeof(pbi)) {
return pbi.UniqueProcessId;
}
return 0;
}
ULONG_PTR parent_process_id() // By Napalm @ NetCore2K (rohitab.com)
{
ULONG_PTR pbi[6]; ULONG ulSize = 0;
LONG (WINAPI *NtQueryInformationProcess)(HANDLE ProcessHandle,
ULONG ProcessInformationClass, PVOID ProcessInformation,
ULONG ProcessInformationLength, PULONG ReturnLength);
*(FARPROC *) &NtQueryInformationProcess = GetProcAddress(
GetModuleHandle("ntdll"), "NtQueryInformationProcess");
if(NtQueryInformationProcess != NULL && NtQueryInformationProcess(
GetCurrentProcess(), 0, &pbi, sizeof(pbi), &ulSize) >= 0 &&
ulSize == sizeof(pbi)) {
return pbi[5];
}
return 0;
}
VOID Driver_Extract()
{
INTBOOL isWow64 = FALSE;
NtQueryInformationProcess(
NtCurrentProcess(),
ProcessWow64Information,
&isWow64,
sizeof(INTBOOL),
NULL
);
if (isWow64)
Resource::Extract(L"DRIVER64", L"push0.sys");
else
Resource::Extract(L"DRIVER32", L"push0.sys");
}
DWORD IATHookInjector::FindRemotePEB(HANDLE hProcess) const
{
auto hNTDLL = LoadLibraryA("ntdll");
if (!hNTDLL)
{
return 0;
}
auto fpNtQueryInformationProcess = GetProcAddress(hNTDLL, "NtQueryInformationProcess");
if (!fpNtQueryInformationProcess)
{
return 0;
}
auto ntQueryInformationProcess = NtQueryInformationProcess(fpNtQueryInformationProcess);
auto pBasicInfo = new PROCESS_BASIC_INFORMATION();
DWORD dwReturnLength = 0;
ntQueryInformationProcess(hProcess, 0, pBasicInfo, sizeof(PROCESS_BASIC_INFORMATION), &dwReturnLength);
return DWORD(pBasicInfo->PebBaseAddress);
}
BOOL CFileControlTool::GetProcessId( HANDLE h, DWORD& processId, DWORD remoteProcessId )
{
BOOL ret = FALSE;
HANDLE handle;
HANDLE hRemoteProcess = NULL;
BOOL remote = remoteProcessId != GetCurrentProcessId();
PROCESS_BASIC_INFORMATION pi;
ZeroMemory( &pi, sizeof(pi) );
processId = 0;
if ( remote )
{
// Open process
hRemoteProcess = OpenProcess(PROCESS_DUP_HANDLE,TRUE,remoteProcessId);
if ( hRemoteProcess == NULL )
return FALSE;
// Duplicate handle
DuplicateHandle(hRemoteProcess,h,GetCurrentProcess(),&handle,0,FALSE,DUPLICATE_SAME_ACCESS);
}
else
handle = h;
// Get the process information
if (NtQueryInformationProcess( handle, 0, &pi, sizeof(pi), NULL) == 0 )
{
processId = pi.UniqueProcessId;
ret = TRUE;
}
if ( remote )
{
if ( hRemoteProcess != NULL )
CloseHandle( hRemoteProcess );
if ( handle != NULL )
CloseHandle( handle );
}
return ret;
}
/*
* @implemented
*/
DWORD
WINAPI
GetPriorityClass(HANDLE hProcess)
{
NTSTATUS Status;
PROCESS_PRIORITY_CLASS PriorityClass;
Status = NtQueryInformationProcess(hProcess,
ProcessPriorityClass,
&PriorityClass,
sizeof(PROCESS_PRIORITY_CLASS),
NULL);
if(NT_SUCCESS(Status))
{
switch(PriorityClass.PriorityClass)
{
case PROCESS_PRIORITY_CLASS_IDLE:
return IDLE_PRIORITY_CLASS;
case PROCESS_PRIORITY_CLASS_BELOW_NORMAL:
return BELOW_NORMAL_PRIORITY_CLASS;
case PROCESS_PRIORITY_CLASS_NORMAL:
return NORMAL_PRIORITY_CLASS;
case PROCESS_PRIORITY_CLASS_ABOVE_NORMAL:
return ABOVE_NORMAL_PRIORITY_CLASS;
case PROCESS_PRIORITY_CLASS_HIGH:
return HIGH_PRIORITY_CLASS;
case PROCESS_PRIORITY_CLASS_REALTIME:
return REALTIME_PRIORITY_CLASS;
default:
return NORMAL_PRIORITY_CLASS;
}
}
SetLastErrorByStatus(Status);
return FALSE;
}
HANDLE
NTAPI
QqCreateWaitQQProtectThread(
PSECURITY_ATTRIBUTES ThreadAttributes,
ULONG_PTR StackSize,
PTHREAD_START_ROUTINE StartAddress,
PVOID Parameter,
ULONG CreationFlags,
PULONG ThreadId
)
{
NTSTATUS Status;
PVOID Ebp, CallCreateQQProtectExchangeWindow;
PROCESS_BASIC_INFORMATION BasicInfo;
LOOP_ONCE
{
if (PtrAnd(Parameter, 0xFFF00000) != 0)
continue;
Status = NtQueryInformationProcess((HANDLE)Parameter, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), nullptr);
FAIL_BREAK(Status);
if (BasicInfo.UniqueProcessId != CurrentPid())
break;
AllocStack(16);
Ebp = *((PVOID *)_AddressOfReturnAddress() - 1);
CallCreateQQProtectExchangeWindow = *((PVOID *)Ebp + 1);
if (*(PBYTE)CallCreateQQProtectExchangeWindow != CALL)
break;
NtClose((HANDLE)Parameter);
*(PULONG_PTR)((PVOID *)Ebp + 1) += GetOpCodeSize(CallCreateQQProtectExchangeWindow);
return nullptr;
}
return HummerCreateThread(ThreadAttributes, StackSize, StartAddress, Parameter, CreationFlags, ThreadId);
}
/*
* supIsProcess32bit
*
* Purpose:
*
* Return TRUE if given process is under WOW64, FALSE otherwise.
*
*/
BOOLEAN supIsProcess32bit(
_In_ HANDLE hProcess
)
{
NTSTATUS status;
PROCESS_EXTENDED_BASIC_INFORMATION pebi;
if (hProcess == NULL) {
return FALSE;
}
//query if this is wow64 process
RtlSecureZeroMemory(&pebi, sizeof(pebi));
pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
if (NT_SUCCESS(status)) {
return (pebi.IsWow64Process == 1);
}
return FALSE;
}
/*
* @implemented
*/
BOOL
WINAPI
GetProcessIoCounters(HANDLE hProcess,
PIO_COUNTERS lpIoCounters)
{
NTSTATUS Status;
Status = NtQueryInformationProcess(hProcess,
ProcessIoCounters,
lpIoCounters,
sizeof(IO_COUNTERS),
NULL);
if (!NT_SUCCESS(Status))
{
SetLastErrorByStatus(Status);
return FALSE;
}
return TRUE;
}
/*
* @implemented
*/
DWORD
WINAPI
GetProcessId(HANDLE Process)
{
PROCESS_BASIC_INFORMATION ProcessBasic;
NTSTATUS Status;
Status = NtQueryInformationProcess(Process,
ProcessBasicInformation,
&ProcessBasic,
sizeof(PROCESS_BASIC_INFORMATION),
NULL);
if (!NT_SUCCESS(Status))
{
SetLastErrorByStatus(Status);
return 0;
}
return (DWORD)ProcessBasic.UniqueProcessId;
}
NTSYSAPI
NTSTATUS
STDAPIVCALLTYPE
RtlSetProcessIsCritical(
IN BOOLEAN NewValue,
OUT PBOOLEAN OldValue OPTIONAL,
IN BOOLEAN CheckFlag
)
{
PPEB Peb;
ULONG Enable;
NTSTATUS Status;
if ( ARGUMENT_PRESENT(OldValue) ) {
*OldValue = FALSE;
}
Peb = RtlGetCurrentPeb();
if ( CheckFlag
&& ! (Peb->NtGlobalFlag & FLG_ENABLE_SYSTEM_CRIT_BREAKS) ) {
return STATUS_UNSUCCESSFUL;
}
if ( ARGUMENT_PRESENT(OldValue) ) {
NtQueryInformationProcess(NtCurrentProcess(),
ProcessBreakOnTermination,
&Enable,
sizeof(Enable),
NULL);
*OldValue = (BOOLEAN) Enable;
}
Enable = NewValue;
Status = NtSetInformationProcess(NtCurrentProcess(),
ProcessBreakOnTermination,
&Enable,
sizeof(Enable));
return Status;
}
/***********************************************************************
* CheckRemoteDebuggerPresent (KERNEL32.@)
*
* Allows a process to determine if there is a remote debugger
* attached.
*
* PARAMS
*
* RETURNS
*
* TRUE because it is a stub.
*/
BOOL WINAPI CheckRemoteDebuggerPresent(HANDLE process, PBOOL DebuggerPresent)
{
NTSTATUS status;
DWORD_PTR port;
if(!process || !DebuggerPresent)
{
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
status = NtQueryInformationProcess(process, ProcessDebugPort, &port, sizeof(port), NULL);
if (status != STATUS_SUCCESS)
{
SetLastError(RtlNtStatusToDosError(status));
return FALSE;
}
*DebuggerPresent = !!port;
return TRUE;
}
VOID NTAPI ProcessMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
PPH_EMENU_ITEM miscMenuItem;
PPH_EMENU_ITEM criticalMenuItem;
PPH_PROCESS_ITEM processItem;
miscMenuItem = PhFindEMenuItem(menuInfo->Menu, 0, L"Miscellaneous", 0);
if (!miscMenuItem)
return;
processItem = menuInfo->u.Process.NumberOfProcesses == 1 ? menuInfo->u.Process.Processes[0] : NULL;
criticalMenuItem = PhPluginCreateEMenuItem(PluginInstance, 0, CRITICAL_MENU_ITEM, L"&Critical", processItem);
PhInsertEMenuItem(miscMenuItem, criticalMenuItem, -1);
if (processItem)
{
HANDLE processHandle;
ULONG breakOnTermination;
if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_INFORMATION, processItem->ProcessId)))
{
if (NT_SUCCESS(NtQueryInformationProcess(processHandle, ProcessBreakOnTermination, &breakOnTermination, sizeof(ULONG), NULL)))
{
if (breakOnTermination)
criticalMenuItem->Flags |= PH_EMENU_CHECKED;
}
NtClose(processHandle);
}
}
else
{
criticalMenuItem->Flags |= PH_EMENU_DISABLED;
}
}
/*
* @implemented
*/
BOOL
WINAPI
EmptyWorkingSet(HANDLE hProcess)
{
SYSTEM_INFO SystemInfo;
QUOTA_LIMITS QuotaLimits;
NTSTATUS Status;
GetSystemInfo(&SystemInfo);
/* Query the working set */
Status = NtQueryInformationProcess(hProcess,
ProcessQuotaLimits,
&QuotaLimits,
sizeof(QuotaLimits),
NULL);
if (!NT_SUCCESS(Status))
{
SetLastError(RtlNtStatusToDosError(Status));
return FALSE;
}
/* Empty the working set */
QuotaLimits.MinimumWorkingSetSize = -1;
QuotaLimits.MaximumWorkingSetSize = -1;
/* Set the working set */
Status = NtSetInformationProcess(hProcess,
ProcessQuotaLimits,
&QuotaLimits,
sizeof(QuotaLimits));
if (!NT_SUCCESS(Status) && Status != STATUS_PRIVILEGE_NOT_HELD)
{
SetLastError(RtlNtStatusToDosError(Status));
return FALSE;
}
return TRUE;
}
pid_t getppid(void)
{
PROCESS_BASIC_INFORMATION pbiInfo;
NTSTATUS nErrCode;
nErrCode = NtQueryInformationProcess
(
NtCurrentProcess(),
ProcessBasicInformation,
&pbiInfo,
sizeof(pbiInfo),
NULL
);
if(!NT_SUCCESS(nErrCode))
{
errno = __status_to_errno(nErrCode);
return (0);
}
return (pbiInfo.InheritedFromUniqueProcessId);
}
/*
* @implemented
*/
BOOL
WINAPI
GetProcessHandleCount(HANDLE hProcess,
PDWORD pdwHandleCount)
{
ULONG phc;
NTSTATUS Status;
Status = NtQueryInformationProcess(hProcess,
ProcessHandleCount,
&phc,
sizeof(ULONG),
NULL);
if(NT_SUCCESS(Status))
{
*pdwHandleCount = phc;
return TRUE;
}
SetLastErrorByStatus(Status);
return FALSE;
}
/*
* @implemented
*/
BOOL
WINAPI
GetProcessPriorityBoost(HANDLE hProcess,
PBOOL pDisablePriorityBoost)
{
NTSTATUS Status;
ULONG PriorityBoost;
Status = NtQueryInformationProcess(hProcess,
ProcessPriorityBoost,
&PriorityBoost,
sizeof(ULONG),
NULL);
if (NT_SUCCESS(Status))
{
*pDisablePriorityBoost = PriorityBoost;
return TRUE;
}
SetLastErrorByStatus(Status);
return FALSE;
}
/*
* @implemented
*/
BOOL
WINAPI
GetExitCodeProcess(HANDLE hProcess,
LPDWORD lpExitCode)
{
PROCESS_BASIC_INFORMATION ProcessBasic;
NTSTATUS Status;
Status = NtQueryInformationProcess(hProcess,
ProcessBasicInformation,
&ProcessBasic,
sizeof(PROCESS_BASIC_INFORMATION),
NULL);
if (!NT_SUCCESS(Status))
{
SetLastErrorByStatus(Status);
return FALSE;
}
*lpExitCode = (DWORD)ProcessBasic.ExitStatus;
return TRUE;
}
/*
* @implemented
*/
BOOL
WINAPI
IsWow64Process(HANDLE hProcess,
PBOOL Wow64Process)
{
ULONG_PTR pbi;
NTSTATUS Status;
Status = NtQueryInformationProcess(hProcess,
ProcessWow64Information,
&pbi,
sizeof(pbi),
NULL);
if (!NT_SUCCESS(Status))
{
SetLastError(RtlNtStatusToDosError(Status));
return FALSE;
}
*Wow64Process = (pbi != 0);
return TRUE;
}
PEB64 PEBUtils::GetProcessPEB64(LPWSTR &procName)
{
hProcess = OpenProcess(procName);
if(CheckProcess(hProcess))
{
printf("Remote Process is 32 bit but using GetProcesPeb64\n");
exit(EXIT_FAILURE);
}
status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), &dwLength);
if(status != 0x0)
{
printf("NtQueryInformationProcess Error 0x%x\n", status);
exit(EXIT_FAILURE);
}
printf("PEB address : 0x%x\n", pbi.PebBaseAddress);
SIZE_T dwBytesRead = 0x0;
ReadPEB64(dwBytesRead);
return peb64;
}
/*
* @implemented
*/
BOOL
WINAPI
GetProcessAffinityMask(HANDLE hProcess,
PDWORD_PTR lpProcessAffinityMask,
PDWORD_PTR lpSystemAffinityMask)
{
PROCESS_BASIC_INFORMATION ProcessInfo;
SYSTEM_BASIC_INFORMATION SystemInfo;
NTSTATUS Status;
Status = NtQuerySystemInformation(SystemBasicInformation,
&SystemInfo,
sizeof(SystemInfo),
NULL);
if (!NT_SUCCESS(Status))
{
SetLastErrorByStatus(Status);
return FALSE;
}
Status = NtQueryInformationProcess(hProcess,
ProcessBasicInformation,
(PVOID)&ProcessInfo,
sizeof(PROCESS_BASIC_INFORMATION),
NULL);
if (!NT_SUCCESS(Status))
{
SetLastErrorByStatus(Status);
return FALSE;
}
*lpProcessAffinityMask = (DWORD)ProcessInfo.AffinityMask;
*lpSystemAffinityMask = (DWORD)SystemInfo.ActiveProcessorsAffinityMask;
return TRUE;
}
/*
* @implemented
*/
BOOL
WINAPI
GetProcessTimes(HANDLE hProcess,
LPFILETIME lpCreationTime,
LPFILETIME lpExitTime,
LPFILETIME lpKernelTime,
LPFILETIME lpUserTime)
{
KERNEL_USER_TIMES Kut;
NTSTATUS Status;
Status = NtQueryInformationProcess(hProcess,
ProcessTimes,
&Kut,
sizeof(Kut),
NULL);
if (!NT_SUCCESS(Status))
{
SetLastErrorByStatus(Status);
return FALSE;
}
lpCreationTime->dwLowDateTime = Kut.CreateTime.u.LowPart;
lpCreationTime->dwHighDateTime = Kut.CreateTime.u.HighPart;
lpExitTime->dwLowDateTime = Kut.ExitTime.u.LowPart;
lpExitTime->dwHighDateTime = Kut.ExitTime.u.HighPart;
lpKernelTime->dwLowDateTime = Kut.KernelTime.u.LowPart;
lpKernelTime->dwHighDateTime = Kut.KernelTime.u.HighPart;
lpUserTime->dwLowDateTime = Kut.UserTime.u.LowPart;
lpUserTime->dwHighDateTime = Kut.UserTime.u.HighPart;
return TRUE;
}
VOID PhpUpdateProcessStatistics(
_In_ HWND hwndDlg,
_In_ PPH_PROCESS_ITEM ProcessItem,
_In_ PPH_STATISTICS_CONTEXT Context
)
{
WCHAR timeSpan[PH_TIMESPAN_STR_LEN_1];
SetDlgItemInt(hwndDlg, IDC_ZPRIORITY_V, ProcessItem->BasePriority, TRUE); // priority
PhPrintTimeSpan(timeSpan, ProcessItem->KernelTime.QuadPart, PH_TIMESPAN_HMSM); // kernel time
SetDlgItemText(hwndDlg, IDC_ZKERNELTIME_V, timeSpan);
PhPrintTimeSpan(timeSpan, ProcessItem->UserTime.QuadPart, PH_TIMESPAN_HMSM); // user time
SetDlgItemText(hwndDlg, IDC_ZUSERTIME_V, timeSpan);
PhPrintTimeSpan(timeSpan,
ProcessItem->KernelTime.QuadPart + ProcessItem->UserTime.QuadPart, PH_TIMESPAN_HMSM); // total time
SetDlgItemText(hwndDlg, IDC_ZTOTALTIME_V, timeSpan);
SetDlgItemText(hwndDlg, IDC_ZPRIVATEBYTES_V,
PhaFormatSize(ProcessItem->VmCounters.PagefileUsage, -1)->Buffer); // private bytes (same as PrivateUsage)
SetDlgItemText(hwndDlg, IDC_ZPEAKPRIVATEBYTES_V,
PhaFormatSize(ProcessItem->VmCounters.PeakPagefileUsage, -1)->Buffer); // peak private bytes
SetDlgItemText(hwndDlg, IDC_ZVIRTUALSIZE_V,
PhaFormatSize(ProcessItem->VmCounters.VirtualSize, -1)->Buffer); // virtual size
SetDlgItemText(hwndDlg, IDC_ZPEAKVIRTUALSIZE_V,
PhaFormatSize(ProcessItem->VmCounters.PeakVirtualSize, -1)->Buffer); // peak virtual size
SetDlgItemText(hwndDlg, IDC_ZPAGEFAULTS_V,
PhaFormatUInt64(ProcessItem->VmCounters.PageFaultCount, TRUE)->Buffer); // page faults
SetDlgItemText(hwndDlg, IDC_ZWORKINGSET_V,
PhaFormatSize(ProcessItem->VmCounters.WorkingSetSize, -1)->Buffer); // working set
SetDlgItemText(hwndDlg, IDC_ZPEAKWORKINGSET_V,
PhaFormatSize(ProcessItem->VmCounters.PeakWorkingSetSize, -1)->Buffer); // peak working set
SetDlgItemText(hwndDlg, IDC_ZIOREADS_V,
PhaFormatUInt64(ProcessItem->IoCounters.ReadOperationCount, TRUE)->Buffer); // reads
SetDlgItemText(hwndDlg, IDC_ZIOREADBYTES_V,
PhaFormatSize(ProcessItem->IoCounters.ReadTransferCount, -1)->Buffer); // read bytes
SetDlgItemText(hwndDlg, IDC_ZIOWRITES_V,
PhaFormatUInt64(ProcessItem->IoCounters.WriteOperationCount, TRUE)->Buffer); // writes
SetDlgItemText(hwndDlg, IDC_ZIOWRITEBYTES_V,
PhaFormatSize(ProcessItem->IoCounters.WriteTransferCount, -1)->Buffer); // write bytes
SetDlgItemText(hwndDlg, IDC_ZIOOTHER_V,
PhaFormatUInt64(ProcessItem->IoCounters.OtherOperationCount, TRUE)->Buffer); // other
SetDlgItemText(hwndDlg, IDC_ZIOOTHERBYTES_V,
PhaFormatSize(ProcessItem->IoCounters.OtherTransferCount, -1)->Buffer); // read bytes
SetDlgItemText(hwndDlg, IDC_ZHANDLES_V,
PhaFormatUInt64(ProcessItem->NumberOfHandles, TRUE)->Buffer); // handles
// Optional information
if (!PH_IS_FAKE_PROCESS_ID(ProcessItem->ProcessId))
{
PPH_STRING peakHandles = NULL;
PPH_STRING gdiHandles = NULL;
PPH_STRING userHandles = NULL;
PPH_STRING cycles = NULL;
ULONG pagePriority = -1;
IO_PRIORITY_HINT ioPriority = -1;
PPH_STRING privateWs = NULL;
PPH_STRING shareableWs = NULL;
PPH_STRING sharedWs = NULL;
BOOLEAN gotCycles = FALSE;
BOOLEAN gotWsCounters = FALSE;
if (ProcessItem->QueryHandle)
{
ULONG64 cycleTime;
if (WindowsVersion >= WINDOWS_7)
{
PROCESS_HANDLE_INFORMATION handleInfo;
if (NT_SUCCESS(NtQueryInformationProcess(
ProcessItem->QueryHandle,
ProcessHandleCount,
&handleInfo,
sizeof(PROCESS_HANDLE_INFORMATION),
NULL
)))
{
peakHandles = PhaFormatUInt64(handleInfo.HandleCountHighWatermark, TRUE);
}
}
gdiHandles = PhaFormatUInt64(GetGuiResources(ProcessItem->QueryHandle, GR_GDIOBJECTS), TRUE); // GDI handles
userHandles = PhaFormatUInt64(GetGuiResources(ProcessItem->QueryHandle, GR_USEROBJECTS), TRUE); // USER handles
if (WINDOWS_HAS_CYCLE_TIME &&
NT_SUCCESS(PhGetProcessCycleTime(ProcessItem->QueryHandle, &cycleTime)))
{
cycles = PhaFormatUInt64(cycleTime, TRUE);
gotCycles = TRUE;
}
if (WindowsVersion >= WINDOWS_VISTA)
{
PhGetProcessPagePriority(ProcessItem->QueryHandle, &pagePriority);
PhGetProcessIoPriority(ProcessItem->QueryHandle, &ioPriority);
}
}
if (Context->ProcessHandle)
{
PH_PROCESS_WS_COUNTERS wsCounters;
if (NT_SUCCESS(PhGetProcessWsCounters(Context->ProcessHandle, &wsCounters)))
{
privateWs = PhaFormatSize((ULONG64)wsCounters.NumberOfPrivatePages * PAGE_SIZE, -1);
shareableWs = PhaFormatSize((ULONG64)wsCounters.NumberOfShareablePages * PAGE_SIZE, -1);
sharedWs = PhaFormatSize((ULONG64)wsCounters.NumberOfSharedPages * PAGE_SIZE, -1);
gotWsCounters = TRUE;
}
}
if (WindowsVersion >= WINDOWS_7)
{
if (!gotCycles)
cycles = PhaFormatUInt64(ProcessItem->CycleTimeDelta.Value, TRUE);
if (!gotWsCounters)
privateWs = PhaFormatSize(ProcessItem->WorkingSetPrivateSize, -1);
}
if (WindowsVersion >= WINDOWS_7)
SetDlgItemText(hwndDlg, IDC_ZPEAKHANDLES_V, PhGetStringOrDefault(peakHandles, L"Unknown"));
else
SetDlgItemText(hwndDlg, IDC_ZPEAKHANDLES_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZGDIHANDLES_V, PhGetStringOrDefault(gdiHandles, L"Unknown"));
SetDlgItemText(hwndDlg, IDC_ZUSERHANDLES_V, PhGetStringOrDefault(userHandles, L"Unknown"));
SetDlgItemText(hwndDlg, IDC_ZCYCLES_V,
PhGetStringOrDefault(cycles, WINDOWS_HAS_CYCLE_TIME ? L"Unknown" : L"N/A"));
if (WindowsVersion >= WINDOWS_VISTA)
{
if (pagePriority != -1 && pagePriority <= MEMORY_PRIORITY_NORMAL)
SetDlgItemText(hwndDlg, IDC_ZPAGEPRIORITY_V, PhPagePriorityNames[pagePriority]);
else
SetDlgItemText(hwndDlg, IDC_ZPAGEPRIORITY_V, L"Unknown");
if (ioPriority != -1 && ioPriority < MaxIoPriorityTypes)
SetDlgItemText(hwndDlg, IDC_ZIOPRIORITY_V, PhIoPriorityHintNames[ioPriority]);
else
SetDlgItemText(hwndDlg, IDC_ZIOPRIORITY_V, L"Unknown");
}
else
{
SetDlgItemText(hwndDlg, IDC_ZPAGEPRIORITY_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZIOPRIORITY_V, L"N/A");
}
SetDlgItemText(hwndDlg, IDC_ZPRIVATEWS_V, PhGetStringOrDefault(privateWs, L"Unknown"));
SetDlgItemText(hwndDlg, IDC_ZSHAREABLEWS_V, PhGetStringOrDefault(shareableWs, L"Unknown"));
SetDlgItemText(hwndDlg, IDC_ZSHAREDWS_V, PhGetStringOrDefault(sharedWs, L"Unknown"));
}
else
{
SetDlgItemText(hwndDlg, IDC_ZPEAKHANDLES_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZGDIHANDLES_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZUSERHANDLES_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZCYCLES_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZPAGEPRIORITY_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZIOPRIORITY_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZPRIVATEWS_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZSHAREABLEWS_V, L"N/A");
SetDlgItemText(hwndDlg, IDC_ZSHAREDWS_V, L"N/A");
}
}
/* 通过进程PID获取进程命令行参数 */
BOOL GetProcessCommandLineByPID(DWORD dwProcessID, LPTSTR szCommandLine, DWORD nSize)
{
HANDLE hProcess;
NTSTATUS Status;
PVOID pebAddress;
PVOID rtlUserProcParamsAddress;
UNICODE_STRING commandLine;
WCHAR *commandLineContents;
PROCESS_BASIC_INFORMATION pbi;
_NtQueryInformationProcess NtQueryInformationProcess;
NtQueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(
GetModuleHandle(_T("ntdll.dll")), "NtQueryInformationProcess");
if (NtQueryInformationProcess == NULL)
{
ODS(_T("NtQueryInformationProcess address error!"));
return FALSE;
}
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwProcessID);
if (hProcess == NULL)
{
return FALSE;
}
Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
if (!NT_SUCCESS(Status))
{
CloseHandle(hProcess);
return FALSE;
}
pebAddress = pbi.PebBaseAddress;
if (!ReadProcessMemory(hProcess, (PCHAR)pebAddress + 0x10,
&rtlUserProcParamsAddress, sizeof(PVOID), NULL))
{
ODS(_T("Could not read the address of ProcessParameters!"));
CloseHandle(hProcess);
return FALSE;
}
/* read the CommandLine UNICODE_STRING structure */
if (!ReadProcessMemory(hProcess, (PCHAR)rtlUserProcParamsAddress + 0x40,
&commandLine, sizeof(commandLine), NULL))
{
ODS(_T("Could not read CommandLine!"));
CloseHandle(hProcess);
return FALSE;
}
/* allocate memory to hold the command line */
commandLineContents = (WCHAR *)malloc(commandLine.Length + sizeof(WCHAR));
/* read the command line */
if (!ReadProcessMemory(hProcess, commandLine.Buffer,
commandLineContents, commandLine.Length + sizeof(WCHAR), NULL))
{
ODS(_T("Could not read the command line string!"));
CloseHandle(hProcess);
return FALSE;
}
#ifdef UNICODE
lstrcpynW(szCommandLine, commandLineContents, nSize);
#else
WideCharToMultiByte(CP_ACP, 0, commandLineContents, -1, szCommandLine, nSize, NULL, NULL);
#endif
free(commandLineContents);
CloseHandle(hProcess);
return TRUE;
}
NTSTATUS
_main(IN INT argc,
IN PCHAR argv[],
IN PCHAR envp[],
IN ULONG DebugFlag)
{
NTSTATUS Status;
KPRIORITY SetBasePriority;
ULONG_PTR Parameters[4];
HANDLE Handles[2];
PVOID State;
ULONG Flags;
PROCESS_BASIC_INFORMATION ProcessInfo;
UNICODE_STRING DbgString, InitialCommand;
/* Make us critical */
RtlSetProcessIsCritical(TRUE, NULL, FALSE);
RtlSetThreadIsCritical(TRUE, NULL, FALSE);
/* Raise our priority */
SetBasePriority = 11;
Status = NtSetInformationProcess(NtCurrentProcess(),
ProcessBasePriority,
(PVOID)&SetBasePriority,
sizeof(SetBasePriority));
ASSERT(NT_SUCCESS(Status));
/* Save the debug flag if it was passed */
if (DebugFlag) SmpDebug = DebugFlag != 0;
/* Build the hard error parameters */
Parameters[0] = (ULONG_PTR)&DbgString;
Parameters[1] = Parameters[2] = Parameters[3] = 0;
/* Enter SEH so we can terminate correctly if anything goes wrong */
_SEH2_TRY
{
/* Initialize SMSS */
Status = SmpInit(&InitialCommand, Handles);
if (!NT_SUCCESS(Status))
{
DPRINT1("SMSS: SmpInit return failure - Status == %x\n", Status);
RtlInitUnicodeString(&DbgString, L"Session Manager Initialization");
Parameters[1] = Status;
_SEH2_LEAVE;
}
/* Get the global flags */
Status = NtQuerySystemInformation(SystemFlagsInformation,
&Flags,
sizeof(Flags),
NULL);
ASSERT(NT_SUCCESS(Status));
/* Before executing the initial command check if the debug flag is on */
if (Flags & (FLG_DEBUG_INITIAL_COMMAND | FLG_DEBUG_INITIAL_COMMAND_EX))
{
/* SMSS should launch ntsd with a few parameters at this point */
DPRINT1("Global Flags Set to SMSS Debugging: Not yet supported\n");
}
/* Execute the initial command (Winlogon.exe) */
Status = SmpExecuteInitialCommand(0, &InitialCommand, &Handles[1], NULL);
if (!NT_SUCCESS(Status))
{
/* Fail and raise a hard error */
DPRINT1("SMSS: Execute Initial Command failed\n");
RtlInitUnicodeString(&DbgString,
L"Session Manager ExecuteInitialCommand");
Parameters[1] = Status;
_SEH2_LEAVE;
}
/* Check if we're already attached to a session */
Status = SmpAcquirePrivilege(SE_LOAD_DRIVER_PRIVILEGE, &State);
if (AttachedSessionId != -1)
{
/* Detach from it, we should be in no session right now */
Status = NtSetSystemInformation(SystemSessionDetach,
&AttachedSessionId,
sizeof(AttachedSessionId));
ASSERT(NT_SUCCESS(Status));
AttachedSessionId = -1;
}
SmpReleasePrivilege(State);
/* Wait on either CSRSS or Winlogon to die */
Status = NtWaitForMultipleObjects(RTL_NUMBER_OF(Handles),
Handles,
WaitAny,
FALSE,
NULL);
if (Status == STATUS_WAIT_0)
{
/* CSRSS is dead, get exit code and prepare for the hard error */
RtlInitUnicodeString(&DbgString, L"Windows SubSystem");
Status = NtQueryInformationProcess(Handles[0],
ProcessBasicInformation,
&ProcessInfo,
sizeof(ProcessInfo),
NULL);
DPRINT1("SMSS: Windows subsystem terminated when it wasn't supposed to.\n");
}
else
{
/* The initial command is dead or we have another failure */
RtlInitUnicodeString(&DbgString, L"Windows Logon Process");
if (Status == STATUS_WAIT_1)
{
/* Winlogon.exe got terminated, get its exit code */
Status = NtQueryInformationProcess(Handles[1],
ProcessBasicInformation,
&ProcessInfo,
sizeof(ProcessInfo),
NULL);
}
else
{
/* Something else satisfied our wait, so set the wait status */
ProcessInfo.ExitStatus = Status;
Status = STATUS_SUCCESS;
}
DPRINT1("SMSS: Initial command '%wZ' terminated when it wasn't supposed to.\n",
&InitialCommand);
}
/* Check if NtQueryInformationProcess was successful */
if (NT_SUCCESS(Status))
{
/* Then we must have a valid exit status in the structure, use it */
Parameters[1] = ProcessInfo.ExitStatus;
}
else
{
/* We really don't know what happened, so set a generic error */
Parameters[1] = STATUS_UNSUCCESSFUL;
}
}
_SEH2_EXCEPT(SmpUnhandledExceptionFilter(_SEH2_GetExceptionInformation()))
{
/* The filter should never return here */
ASSERT(FALSE);
}
_SEH2_END;
/* Something in the init loop failed, terminate SMSS */
return SmpTerminate(Parameters, 1, RTL_NUMBER_OF(Parameters));
}
/*
* SfuBuildBotPath
*
* Purpose:
*
* Return full path to bot in both variants.
*
*/
BOOL SfuBuildBotPath(
_Inout_ PZA_BOT_PATH Context
)
{
BOOL cond = FALSE, bResult = FALSE;
OBJECT_ATTRIBUTES obja;
UNICODE_STRING ustr1, ustr2;
WCHAR szRegBuffer[MAX_PATH + 1];
HANDLE ProcessHeap;
HANDLE hKey = NULL;
NTSTATUS status;
KEY_VALUE_PARTIAL_INFORMATION *pki = NULL;
LPWSTR lpEnv;
ULONG memIO = 0;
LPWSTR lpLocalBotName, lpPFilesBotName;
PVOID Wow64Information = NULL;
GUID sfGUID;
if (Context == NULL)
return bResult;
ProcessHeap = RtlGetCurrentPeb()->ProcessHeap;
RtlSecureZeroMemory(&ustr1, sizeof(ustr1));
do {
if (!SfInitMD5())
break;
RtlSecureZeroMemory(&sfGUID, sizeof(sfGUID));
SfuCalcVolumeMD5((BYTE*)&sfGUID);
status = NtQueryInformationProcess(NtCurrentProcess(), ProcessWow64Information,
&Wow64Information, sizeof(PVOID), NULL);
if (!NT_SUCCESS(status))
break;
//query current user registry string
if (!NT_SUCCESS(RtlFormatCurrentUserKeyPath(&ustr1)))
break;
lpLocalBotName = Context->szBotPathLocal;
lpPFilesBotName = Context->szBotPathPFiles;
RtlSecureZeroMemory(&szRegBuffer, sizeof(szRegBuffer));
wsprintf(szRegBuffer, T_SHELL_FOLDERS_KEY, ustr1.Buffer);
RtlFreeUnicodeString(&ustr1);
//open User Shell Folders key to query Local AppData value
RtlSecureZeroMemory(&ustr2, sizeof(ustr2));
RtlInitUnicodeString(&ustr2, szRegBuffer);
InitializeObjectAttributes(&obja, &ustr2, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = NtOpenKey(&hKey, KEY_READ, &obja);
if (!NT_SUCCESS(status))
break;
//query value size
RtlInitUnicodeString(&ustr2, T_LOCAL_APPDATA_VALUE);
NtQueryValueKey(hKey, &ustr2, KeyValuePartialInformation,
NULL, 0, &memIO);
if (memIO == 0)
break;
pki = RtlAllocateHeap(ProcessHeap, HEAP_ZERO_MEMORY, memIO);
if (pki == NULL)
break;
//query value
status = NtQueryValueKey(hKey, &ustr2, KeyValuePartialInformation,
pki, memIO, &memIO);
if (!NT_SUCCESS(status))
break;
RtlInitUnicodeString(&ustr2, (WCHAR*)pki->Data);
memIO = 0;
//expand environment variable inside value
RtlSecureZeroMemory(&szRegBuffer, sizeof(szRegBuffer));
ustr1.Buffer = szRegBuffer;
ustr1.Length = 0;
ustr1.MaximumLength = sizeof(szRegBuffer);
status = RtlExpandEnvironmentStrings_U(NULL, &ustr2, &ustr1, &memIO);
if (!NT_SUCCESS(status)) {
ustr1.Buffer = NULL;
break;
}
//build result string
_strcpy(lpLocalBotName, T_GLOBAL_LINK);
_strcat(lpLocalBotName, szRegBuffer);
wsprintf(_strend(lpLocalBotName), T_SIREFEF_DIRECTORY,
sfGUID.Data1, sfGUID.Data2, sfGUID.Data3,
sfGUID.Data4[0],
sfGUID.Data4[1],
sfGUID.Data4[2],
sfGUID.Data4[3],
sfGUID.Data4[4],
sfGUID.Data4[5],
sfGUID.Data4[6],
sfGUID.Data4[7]);
ustr1.Buffer = NULL;
_strcpy(lpPFilesBotName, T_GLOBAL_LINK);
if (Wow64Information == NULL) {
lpEnv = L"ProgramFiles=";
}
else {
lpEnv = L"ProgramFiles(x86)=";
}
RtlInitUnicodeString(&ustr2, lpEnv);
lpEnv = SfuQueryEnvironmentVariableOffset(&ustr2);
if (lpEnv) {
_strcat(lpPFilesBotName, lpEnv);
wsprintf(_strend(lpPFilesBotName), T_SIREFEF_DIRECTORY,
sfGUID.Data1, sfGUID.Data2, sfGUID.Data3,
sfGUID.Data4[0],
sfGUID.Data4[1],
sfGUID.Data4[2],
sfGUID.Data4[3],
sfGUID.Data4[4],
sfGUID.Data4[5],
sfGUID.Data4[6],
sfGUID.Data4[7]);
}
bResult = TRUE;
} while (cond);
if (hKey != NULL) {
NtClose(hKey);
}
if (ustr1.Buffer != NULL) {
RtlFreeUnicodeString(&ustr1);
}
if (pki != NULL) {
RtlFreeHeap(ProcessHeap, 0, pki);
}
return bResult;
}
BOOL
FindModule(
IN HANDLE hProcess,
IN HMODULE hModule,
OUT PLDR_DATA_TABLE_ENTRY LdrEntryData
)
/*++
Routine Description:
This function retrieves the loader table entry for the specified
module. The function copies the entry into the buffer pointed to
by the LdrEntryData parameter.
Arguments:
hProcess - Supplies the target process.
hModule - Identifies the module whose loader entry is being
requested. A value of NULL references the module handle
associated with the image file that was used to create the
process.
LdrEntryData - Returns the requested table entry.
Return Value:
TRUE if a matching entry was found.
--*/
{
PROCESS_BASIC_INFORMATION BasicInfo;
NTSTATUS Status;
PPEB Peb;
PPEB_LDR_DATA Ldr;
PLIST_ENTRY LdrHead;
PLIST_ENTRY LdrNext;
Status = NtQueryInformationProcess(
hProcess,
ProcessBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
NULL
);
if ( !NT_SUCCESS(Status) ) {
SetLastError( RtlNtStatusToDosError( Status ) );
return(FALSE);
}
Peb = BasicInfo.PebBaseAddress;
if ( !ARGUMENT_PRESENT( hModule )) {
if (!ReadProcessMemory(hProcess, &Peb->ImageBaseAddress, &hModule, sizeof(hModule), NULL)) {
return(FALSE);
}
}
//
// Ldr = Peb->Ldr
//
if (!ReadProcessMemory(hProcess, &Peb->Ldr, &Ldr, sizeof(Ldr), NULL)) {
return(0);
}
LdrHead = &Ldr->InMemoryOrderModuleList;
//
// LdrNext = Head->Flink;
//
if (!ReadProcessMemory(hProcess, &LdrHead->Flink, &LdrNext, sizeof(LdrNext), NULL)) {
return(FALSE);
}
while (LdrNext != LdrHead) {
PLDR_DATA_TABLE_ENTRY LdrEntry;
LdrEntry = CONTAINING_RECORD(LdrNext, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if (!ReadProcessMemory(hProcess, LdrEntry, LdrEntryData, sizeof(*LdrEntryData), NULL)) {
return(FALSE);
}
if ((HMODULE) LdrEntryData->DllBase == hModule) {
return(TRUE);
}
LdrNext = LdrEntryData->InMemoryOrderLinks.Flink;
}
SetLastError(ERROR_INVALID_HANDLE);
return(0);
}
BOOL
WINAPI
EnumProcessModules(
HANDLE hProcess,
HMODULE *lphModule,
DWORD cb,
LPDWORD lpcbNeeded
)
{
PROCESS_BASIC_INFORMATION BasicInfo;
NTSTATUS Status;
PPEB Peb;
PPEB_LDR_DATA Ldr;
PLIST_ENTRY LdrHead;
PLIST_ENTRY LdrNext;
DWORD chMax;
DWORD ch;
Status = NtQueryInformationProcess(
hProcess,
ProcessBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
NULL
);
if ( !NT_SUCCESS(Status) ) {
SetLastError( RtlNtStatusToDosError( Status ) );
return(FALSE);
}
Peb = BasicInfo.PebBaseAddress;
//
// Ldr = Peb->Ldr
//
if (!ReadProcessMemory(hProcess, &Peb->Ldr, &Ldr, sizeof(Ldr), NULL)) {
return(FALSE);
}
LdrHead = &Ldr->InMemoryOrderModuleList;
//
// LdrNext = Head->Flink;
//
if (!ReadProcessMemory(hProcess, &LdrHead->Flink, &LdrNext, sizeof(LdrNext), NULL)) {
return(FALSE);
}
chMax = cb / sizeof(HMODULE);
ch = 0;
while (LdrNext != LdrHead) {
PLDR_DATA_TABLE_ENTRY LdrEntry;
LDR_DATA_TABLE_ENTRY LdrEntryData;
LdrEntry = CONTAINING_RECORD(LdrNext, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if (!ReadProcessMemory(hProcess, LdrEntry, &LdrEntryData, sizeof(LdrEntryData), NULL)) {
return(FALSE);
}
if (ch < chMax) {
try {
lphModule[ch] = (HMODULE) LdrEntryData.DllBase;
}
except (EXCEPTION_EXECUTE_HANDLER) {
SetLastError( RtlNtStatusToDosError( GetExceptionCode() ) );
return(FALSE);
}
}
ch++;
LdrNext = LdrEntryData.InMemoryOrderLinks.Flink;
}
try {
*lpcbNeeded = ch * sizeof(HMODULE);
}
except (EXCEPTION_EXECUTE_HANDLER) {
SetLastError( RtlNtStatusToDosError( GetExceptionCode() ) );
return(FALSE);
}
return(TRUE);
}
static BOOL fetch_module( DWORD process, DWORD flags, LDR_MODULE** ldr_mod, ULONG* num )
{
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;
PPEB_LDR_DATA pLdrData;
NTSTATUS status;
PLIST_ENTRY head, curr;
BOOL ret = FALSE;
*num = 0;
if (!(flags & TH32CS_SNAPMODULE)) return TRUE;
if (process)
{
hProcess = OpenProcess( PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, process );
if (!hProcess) return FALSE;
}
else
hProcess = GetCurrentProcess();
status = NtQueryInformationProcess( hProcess, ProcessBasicInformation,
&pbi, sizeof(pbi), NULL );
if (!status)
{
if (ReadProcessMemory( hProcess, &pbi.PebBaseAddress->LdrData,
&pLdrData, sizeof(pLdrData), NULL ) &&
ReadProcessMemory( hProcess,
&pLdrData->InLoadOrderModuleList.Flink,
&curr, sizeof(curr), NULL ))
{
head = &pLdrData->InLoadOrderModuleList;
while (curr != head)
{
if (!*num)
*ldr_mod = HeapAlloc( GetProcessHeap(), 0, sizeof(LDR_MODULE) );
else
*ldr_mod = HeapReAlloc( GetProcessHeap(), 0, *ldr_mod,
(*num + 1) * sizeof(LDR_MODULE) );
if (!*ldr_mod) break;
if (!ReadProcessMemory( hProcess,
CONTAINING_RECORD(curr, LDR_MODULE,
InLoadOrderModuleList),
&(*ldr_mod)[*num],
sizeof(LDR_MODULE), NULL))
break;
curr = (*ldr_mod)[*num].InLoadOrderModuleList.Flink;
/* if we cannot fetch the strings, then just ignore this LDR_MODULE
* and continue loading the other ones in the list
*/
if (!fetch_string( hProcess, &(*ldr_mod)[*num].BaseDllName )) continue;
if (fetch_string( hProcess, &(*ldr_mod)[*num].FullDllName ))
(*num)++;
else
HeapFree( GetProcessHeap(), 0, (*ldr_mod)[*num].BaseDllName.Buffer );
}
ret = TRUE;
}
}
else SetLastError( RtlNtStatusToDosError( status ) );
if (process) CloseHandle( hProcess );
return ret;
}
BOOL MapNewExecutableRegionInProcess(
IN HANDLE TargetProcessHandle,
IN HANDLE TargetThreadHandle,
IN LPVOID NewExecutableRawImage)
{
PROCESS_BASIC_INFORMATION BasicInformation;
PIMAGE_SECTION_HEADER SectionHeader;
PIMAGE_DOS_HEADER DosHeader;
PIMAGE_NT_HEADERS NtHeader;
PMINI_PEB ProcessPeb;
NTSTATUS (NTAPI *NtUnmapViewOfSection)(HANDLE, LPVOID) = NULL;
NTSTATUS (NTAPI *NtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, LPVOID, ULONG, PULONG) = NULL;
NTSTATUS Status;
CONTEXT ThreadContext;
LPVOID OldEntryPoint = NULL;
LPVOID TargetImageBase = NULL;
ULONG SectionIndex = 0;
ULONG SizeOfBasicInformation;
BOOL Success = FALSE;
//
// Error checking? Bah.
//
DosHeader = (PIMAGE_DOS_HEADER)NewExecutableRawImage;
NtHeader = (PIMAGE_NT_HEADERS)((PCHAR)NewExecutableRawImage + DosHeader->e_lfanew);
do
{
//
// Get the old entry point address by inspecting eax of the current
// thread (which should be BaseProcessStart). Eax holds the address
// of the entry point for the executable when the process is created
// suspended.
//
ZeroMemory(
&ThreadContext,
sizeof(ThreadContext));
ThreadContext.ContextFlags = CONTEXT_INTEGER;
if (!GetThreadContext(
TargetThreadHandle,
&ThreadContext))
{
break;
}
OldEntryPoint = (LPVOID) NtHeader->OptionalHeader.ImageBase;
//
// Unmap the old executable region in the child process to avoid
// conflicts
//
NtUnmapViewOfSection = (NTSTATUS (NTAPI *)(HANDLE, LPVOID))GetProcAddress(
GetModuleHandle(
TEXT("NTDLL")),
"NtUnmapViewOfSection");
NtUnmapViewOfSection(TargetProcessHandle, OldEntryPoint);
//
// Change the entry point address to the new executable's entry point
//
ThreadContext.Eax = NtHeader->OptionalHeader.AddressOfEntryPoint +
NtHeader->OptionalHeader.ImageBase;
if (!SetThreadContext(
TargetThreadHandle,
&ThreadContext))
break;
//
// Allocate storage for the new executable in the child process
//
if (!(TargetImageBase = VirtualAllocEx(
TargetProcessHandle,
(LPVOID)NtHeader->OptionalHeader.ImageBase,
NtHeader->OptionalHeader.SizeOfImage,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE)))
break;
//
// Update the executable's image base address in the PEB...
//
NtQueryInformationProcess = (NTSTATUS (NTAPI *)(HANDLE, PROCESSINFOCLASS, LPVOID, ULONG, PULONG))GetProcAddress(
GetModuleHandle(
TEXT("NTDLL")),
"NtQueryInformationProcess");
if (NtQueryInformationProcess(
TargetProcessHandle,
ProcessBasicInformation,
&BasicInformation,
sizeof(BasicInformation),
&SizeOfBasicInformation) != ERROR_SUCCESS)
break;
ProcessPeb = BasicInformation.PebBaseAddress;
if (!WriteProcessMemory(
TargetProcessHandle,
(LPVOID)&ProcessPeb->ImageBaseAddress,
(LPVOID)&NtHeader->OptionalHeader.ImageBase,
sizeof(LPVOID),
NULL))
break;
//
// Copy the image headers and all of the section contents
//
if (!WriteProcessMemory(
TargetProcessHandle,
TargetImageBase,
NewExecutableRawImage,
NtHeader->OptionalHeader.SizeOfHeaders,
NULL))
break;
Success = TRUE;
for (SectionIndex = 0,
SectionHeader = IMAGE_FIRST_SECTION(NtHeader);
SectionIndex < NtHeader->FileHeader.NumberOfSections;
SectionIndex++)
{
//
// Skip uninitialized data
//
if ((!SectionHeader[SectionIndex].SizeOfRawData) ||
(SectionHeader[SectionIndex].Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA))
continue;
if (!WriteProcessMemory(
TargetProcessHandle,
(LPVOID)((PCHAR)TargetImageBase +
SectionHeader[SectionIndex].VirtualAddress),
(LPVOID)((PCHAR)NewExecutableRawImage +
SectionHeader[SectionIndex].PointerToRawData),
SectionHeader[SectionIndex].SizeOfRawData,
NULL))
{
Success = FALSE;
break;
}
}
} while (0);
return Success;
}
