BOOL pw_callback_under_dr(process_info_t *pi, void **param) { TCHAR *resstr; TCHAR reschar; int res; TCHAR buf[MAXIMUM_PATH]; DWORD version; BOOL under_dr; CDynamoRIOView *view = (CDynamoRIOView *) param; version = 0; res = under_dynamorio_ex(pi->ProcessID, &version); switch (res) { case DLL_PROFILE : resstr=_T("SC profile"); reschar=_T('P'); break; case DLL_RELEASE : resstr=_T("SC release"); reschar=_T('R'); break; case DLL_DEBUG : resstr=_T("SC debug"); reschar=_T('D'); break; case DLL_CUSTOM : resstr=_T("SC custom"); reschar=_T('C'); break; case DLL_NONE : resstr=_T("native"); reschar=_T('N'); break; case DLL_UNKNOWN : default : resstr=_T("<error>"); reschar=_T('?'); } under_dr = !(res == DLL_NONE || res == DLL_UNKNOWN); if (under_dr) { _stprintf(buf, _T("%5d %c %") UNICODE_PRINTF, pi->ProcessID, reschar, pi->ProcessName); view->m_ProcessList.InsertString(view->m_list_pos, buf); view->m_ProcessList.SetItemData(view->m_list_pos, pi->ProcessID); view->m_list_pos++; } return TRUE; }
DWORD inject_status(process_id_t pid, DWORD *status, DWORD *build) { DWORD dll_stat, res = ERROR_SUCCESS; dll_stat = under_dynamorio_ex(pid, build); switch (dll_stat) { case DLL_NONE: *status = INJECT_STATUS_NATIVE; break; case DLL_UNKNOWN: *status = INJECT_STATUS_UNKNOWN; break; case DLL_RELEASE: case DLL_DEBUG: case DLL_PROFILE: case DLL_CUSTOM: *status = INJECT_STATUS_PROTECTED; break; case DLL_PATHHAS: default: *status = INJECT_STATUS_UNKNOWN; res = ERROR_INVALID_PARAMETER; break; } return res; }
int under_dynamorio(process_id_t ProcessID) { return under_dynamorio_ex(ProcessID, NULL); }
BOOL dllw_callback(module_info_t *mi, void **param) { char *resstr; char reschar; int res; DWORD version; BOOL exe_match = (exe && wcsstr(mi->BaseDllName, wexe)) ? TRUE : FALSE; BOOL exe_present = (wcsstr(mi->BaseDllName, L".exe") || wcsstr(mi->BaseDllName, L".EXE")) ? TRUE : FALSE; /* -listdlls option is set && any of below 3 conditions hold true. (1) -pid value is set and current threadID matches. (2) -exe is set and all DLLs with matching threadIDs (a fake comparison) since WINDOWS provides no other handle. (3) -listall option is set */ if ( listdlls && ((pid && mi->ProcessID == pid) || ((exe_match || (exe && save_pid == mi->ProcessID && (!exe_present || wcscmp(save_module, mi->BaseDllName) == 0)))) || (listall || listdr))) { version = -1; res = under_dynamorio_ex (mi->ProcessID, &version); switch (res) { case DLL_PROFILE : resstr=NAME" profile"; reschar='P'; break; case DLL_RELEASE : resstr=NAME" release"; reschar='R'; break; case DLL_DEBUG : resstr=NAME" debug"; reschar='D'; break; case DLL_CUSTOM : resstr=NAME" custom"; reschar='C'; break; case DLL_NONE : resstr="native"; reschar='N'; break; case DLL_UNKNOWN : default : resstr="<error>"; reschar='?'; } save_pid = mi->ProcessID; if (!(listdr && (res==DLL_NONE || res==DLL_UNKNOWN))) { if (wcsstr(mi->BaseDllName, L".exe") || wcsstr(mi->BaseDllName, L".EXE")) { wcsncpy(save_module, mi->BaseDllName, sizeof(save_module)/sizeof(save_module[0])); save_module[(sizeof(save_module)/sizeof(save_module[0]))-1] = L'\0'; if (!nopid && !showmem) fprintf(fp, "\n\nPID %d ", mi->ProcessID); if (!showmem) { if (version == -1 || !showbuild) { fprintf(fp, "\t\tProcess %S, running %s\n", mi->BaseDllName, resstr); } else { fprintf(fp, "\t\tProcess %S, running %s (build %d)\n", mi->BaseDllName, resstr, version); } } count = 0; } else { if (!showmem) { if (showdlls) { /* long format */ fprintf(fp, " %08x-%08x %-16S Stamp=%x Count=%d\n %S\n", mi->BaseAddress, (uint)mi->BaseAddress+mi->SizeOfImage, mi->BaseDllName, mi->TimeDateStamp, mi->LoadCount, mi->FullDllName); } else { fprintf(fp, "\t%-16S", mi->BaseDllName); count++; if ((count % 3) == 0) { fprintf(fp, "\n"); count = 0; } } } } } } return TRUE; }
BOOL pw_callback(process_info_t *pi, void **param) { char *resstr; char reschar; int res; WCHAR buf[MAX_CMDLINE]; DWORD version; BOOL under_dr; WCHAR qual_name[MAX_CMDLINE]; if (exe) generate_process_name(pi, qual_name, BUFFER_SIZE_ELEMENTS(qual_name)); if ( (pid && pi->ProcessID == pid) || (exe && (!wcsicmp(wexe, pi->ProcessName) || !wcsicmp(wexe, qual_name))) || listall || listdr) { version = -1; res = under_dynamorio_ex(pi->ProcessID, &version); switch (res) { case DLL_PROFILE : resstr=NAME" profile"; reschar='P'; break; case DLL_RELEASE : resstr=NAME" release"; reschar='R'; break; case DLL_DEBUG : resstr=NAME" debug"; reschar='D'; break; case DLL_CUSTOM : resstr=NAME" custom"; reschar='C'; break; case DLL_NONE : resstr="native"; reschar='N'; break; case DLL_UNKNOWN : default : resstr="<error>"; reschar='?'; } under_dr = !(res == DLL_NONE || res == DLL_UNKNOWN); if (!listdr || under_dr) { if (!nopid && !showmem) { if (onlypid) fprintf(fp, "%d\n", (DWORD) pi->ProcessID); else fprintf(fp, "PID %d, ", (DWORD) pi->ProcessID); } if (!showmem && !onlypid) { WCHAR qual_name[MAX_CMDLINE]; WCHAR *name_to_use = pi->ProcessName; #ifdef X64 HANDLE hproc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, (DWORD) pi->ProcessID); if (is_wow64(hproc)) { if (!no32) fprintf(fp, "32-bit, "); /* FIXME: currently x64 process can't see 32-bit * drmarker */ resstr="<unknown>"; } CloseHandle(hproc); #endif if (!noqnames) { generate_process_name(pi, qual_name, BUFFER_SIZE_ELEMENTS(qual_name)); name_to_use = qual_name; } fprintf(fp, "Process %S, ", name_to_use); if (version == -1 || !showbuild) fprintf(fp, "running %s\n", resstr); else fprintf(fp, "running %s (build %d)\n", resstr, version); } if (cmdline) { res = get_process_cmdline(pi->ProcessID, buf, BUFFER_SIZE_ELEMENTS(buf)); NULL_TERMINATE_BUFFER(buf); if (res == ERROR_SUCCESS) { fprintf(fp, "\tCmdline: %S\n", buf); } else fprintf(fp, "\t<Cmdline err %d>\n", res); } if (qname) { WCHAR cmdline[MAX_CMDLINE]; res = get_process_cmdline(pi->ProcessID, cmdline, BUFFER_SIZE_ELEMENTS(cmdline)); NULL_TERMINATE_BUFFER(cmdline); if (res == ERROR_SUCCESS) { if (!get_commandline_qualifier(cmdline, buf, BUFFER_SIZE_ELEMENTS(buf), !strip)) buf[0] = L'\0'; /* no args */ NULL_TERMINATE_BUFFER(buf); } if (res == ERROR_SUCCESS) fprintf(fp, "\tQname: %S%s%S\n", pi->ProcessName, buf[0] == L'\0' ? "" : "-", buf); else fprintf(fp, "\t<Qname err %d>\n", res); } if (under_dr && hotp) { hotp_policy_status_table_t *status_tbl = NULL; res = get_hotp_status(pi->ProcessID, &status_tbl); if (res == ERROR_SUCCESS) { uint j; hotp_policy_status_t *cur; fprintf(fp, "\tHotpatching:\n", res); for (j = 0; j < status_tbl->num_policies; j++) { char status_buf[MAX_PATH]; cur = &(status_tbl->policy_status_array[j]); if (get_status_string(status_buf, MAX_PATH, cur->inject_status, cur->mode)) fprintf(fp, "\t Patch %s: %s\n", cur->policy_id, status_buf); } } else if (res == ERROR_DRMARKER_ERROR) { fprintf(fp, "\tHot Patching Not Enabled\n", res); } else { fprintf(fp, "\t<Hotpatch Query Error %d>\n", res); } } if (under_dr && showstats) { dr_statistics_t *stats = get_dynamorio_stats(pi->ProcessID); if (stats != NULL) { uint i; fprintf(fp, "\t%.*s\n", BUFFER_SIZE_ELEMENTS(stats->process_name), stats->process_name); for (i = 0; i < stats->num_stats; i++) { fprintf(fp, "\t%*.*s :%9d\n", BUFFER_SIZE_ELEMENTS(stats->stats[i].name), BUFFER_SIZE_ELEMENTS(stats->stats[i].name), stats->stats[i].name, stats->stats[i].value); } } free_dynamorio_stats(stats); } if (showmem) { print_mem_stats(pi, reschar, version); } count++; } } return TRUE; }