//---------------------------------------------------------------------------
// KillProcessTreeWinHelper
//
// This is a recursive helper function that terminates all the processes
// started by the specified process and them terminates the process itself
//
// Parameters:
// dwProcessId - identifier of the process to terminate
//
// Returns:
// Win32 error code.
//
static
BOOL
WINAPI
KillProcessTreeWinHelper
(
IN DWORD dwProcessId
)
{
HINSTANCE hKernel;
HANDLE (WINAPI * _CreateToolhelp32Snapshot)(DWORD, DWORD);
BOOL (WINAPI * _Process32First)(HANDLE, PROCESSENTRY32 *);
BOOL (WINAPI * _Process32Next)(HANDLE, PROCESSENTRY32 *);
// get handle to KERNEL32.DLL
hKernel = GetModuleHandle(_T("kernel32.dll"));
// _ASSERTE(hKernel != NULL);
// locate necessary functions in KERNEL32.DLL
*(FARPROC *)&_CreateToolhelp32Snapshot =
GetProcAddress(hKernel, "CreateToolhelp32Snapshot");
*(FARPROC *)&_Process32First =
GetProcAddress(hKernel, "Process32First");
*(FARPROC *)&_Process32Next =
GetProcAddress(hKernel, "Process32Next");
if (_CreateToolhelp32Snapshot == NULL ||
_Process32First == NULL ||
_Process32Next == NULL)
return ERROR_PROC_NOT_FOUND;
HANDLE hSnapshot;
PROCESSENTRY32 Entry;
// create a snapshot
hSnapshot = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
return GetLastError();
Entry.dwSize = sizeof(Entry);
if (!_Process32First(hSnapshot, &Entry))
{
DWORD dwError = GetLastError();
CloseHandle(hSnapshot);
return dwError;
}
// kill all children first
do
{
if (Entry.th32ParentProcessID == dwProcessId)
KillProcessTreeWinHelper(Entry.th32ProcessID);
Entry.dwSize = sizeof(Entry);
}
while (_Process32Next(hSnapshot, &Entry));
CloseHandle(hSnapshot);
// kill the process itself
if (!KillProcess(dwProcessId))
return GetLastError();
return ERROR_SUCCESS;
}
// returns...
// 0 - error
DWORD GetProcessEntryPoint(DWORD PID)
{
HANDLE hSnap;
MODULEENTRY32 ModuleInfo;
PROCESSENTRY32 ProcInfo;
sProcessPEInfo ProcPEInfo;
CHAR ProcPath[256];
DWORD dwMemSize,dwPEHeaderAddr;
VOID* pHeader;
HANDLE hProc;
// get ToolHelp32 addresses
if (!GetTh32())
return FALSE;
// I - get the process filename
hSnap = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hSnap == INVALID_HANDLE_VALUE)
return 0;
// init the ProcInfo struct
ZeroMemory(&ProcInfo,sizeof(ProcInfo));
ProcInfo.dwSize = sizeof(ProcInfo);
// find the to the PID corresponding file path
_Process32First(hSnap,&ProcInfo);
ProcPath[0] = 0;
while (_Process32Next(hSnap,&ProcInfo))
if (ProcInfo.th32ProcessID == PID)
strcpy((LPTSTR)&ProcPath,ProcInfo.szExeFile);
CloseHandle(hSnap);
if (ProcPath[0] == 0)
return 0;
// II - find the ImageBase/SizeOfImage
hSnap = _CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);
if (hSnap == INVALID_HANDLE_VALUE)
return 0;
// init the ModuleInfo and the ProcPEInfo struct
ZeroMemory(&ModuleInfo,sizeof(ModuleInfo));
ModuleInfo.dwSize = sizeof(ModuleInfo);
ZeroMemory(&ProcPEInfo,sizeof(ProcPEInfo));
_Module32First(hSnap,&ModuleInfo);
if (stricmp((LPCTSTR)&ModuleInfo.szExePath,(LPCTSTR)&ProcPath) == 0)
{
ProcPEInfo.dwImageBase = (DWORD)ModuleInfo.modBaseAddr;
ProcPEInfo.dwSizeOfImage = ModuleInfo.modBaseSize;
}
while (_Module32Next(hSnap,&ModuleInfo))
{
if (stricmp((LPCTSTR)&ModuleInfo.szExePath,(LPCTSTR)&ProcPath) == 0)
{
ProcPEInfo.dwImageBase = (DWORD)ModuleInfo.modBaseAddr;
ProcPEInfo.dwSizeOfImage = ModuleInfo.modBaseSize;
}
}
CloseHandle(hSnap);
if (ProcPEInfo.dwImageBase == 0)
return 0;
// get the EntryPoint
if (ProcPEInfo.dwSizeOfImage < HEADER_SIZE)
dwMemSize = ProcPEInfo.dwSizeOfImage;
else
dwMemSize = HEADER_SIZE;
if (!(hProc = OpenProcess(PROCESS_VM_READ,FALSE,PID)))
return 0;
if (!(pHeader = GlobalAlloc(GMEM_FIXED,dwMemSize)))
return 0;
if (!ReadProcessMemory(
hProc,
(PVOID)ProcPEInfo.dwImageBase,
pHeader,
dwMemSize,
&dwBytesRead))
{
GlobalFree(pHeader);
return 0;
}
if (((PIMAGE_DOS_HEADER)pHeader)->e_magic != IMAGE_DOS_SIGNATURE)
{
GlobalFree(pHeader);
return 0;
}
dwPEHeaderAddr = ((PIMAGE_DOS_HEADER)pHeader)->e_lfanew;
if (((PIMAGE_NT_HEADERS)(dwPEHeaderAddr + (DWORD)pHeader))->Signature !=
IMAGE_NT_SIGNATURE)
{
GlobalFree(pHeader);
return 0;
}
ProcPEInfo.dwEntryPointVA = ((PIMAGE_NT_HEADERS)(dwPEHeaderAddr + (DWORD)pHeader))->OptionalHeader \
.AddressOfEntryPoint + ProcPEInfo.dwImageBase;
GlobalFree(pHeader);
return ProcPEInfo.dwEntryPointVA;
}
DWORD ProcessMonitor::ThreadHandler( DWORD dwProc, DWORD dwMode, DWORD dwValue )
{
BOOL bOut = FALSE;
///DWORD dwErr = -1, dwOut = -1, dwOldPerm;
DWORD dwErr = -1, dwOut = -1;
HANDLE hSnapTh = INVALID_HANDLE_VALUE;
THREADENTRY32 te;
ZeroMemory(&te, sizeof(THREADENTRY32));
te.dwSize = sizeof(THREADENTRY32);
hSnapTh = _CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD | TH32CS_SNAPNOHEAPS, dwProc);
if (hSnapTh == INVALID_HANDLE_VALUE) {
/***
if (FALSE == SHCloseApps((0xA00000))) {
return NULL;
}
***/
hSnapTh = _CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD | TH32CS_SNAPNOHEAPS, dwProc);
if (hSnapTh == INVALID_HANDLE_VALUE) {
return NULL;
}
}
if (_Thread32First(hSnapTh, &te)) {
do {
if (dwProc == te.th32OwnerProcessID) {
if ((dwMode&TH_MASK) == TH_BY_PRI) {
if (te.tpBasePri == dwValue) {
SetLastError(0);
dwOut = te.th32ThreadID;
if (dwMode == TH_TERMINATE_BY_PRI) {
if (_TerminateThread((HANDLE)te.th32ThreadID, 0) == TRUE) {
dwOut = 0;
}
}
if (dwMode == TH_SUSPEND_BY_PRI) {
///SetKMode(TRUE);
///dwOldPerm = SetProcPermissions(0xFFFFFFFF);
if (_SuspendThread((HANDLE)te.th32ThreadID) != 0xFFFFFFFF) {
dwOut = te.th32ThreadID;
}
}
if (dwMode == TH_RESUME_BY_PRI) {
///SetKMode(TRUE);
///dwOldPerm = SetProcPermissions(0xFFFFFFFF);
if (_ResumeThread((HANDLE)te.th32ThreadID) != 0xFFFFFFFF) {
dwOut = te.th32ThreadID;;
}
}
break;
}
}
if ((dwMode&TH_MASK) == TH_ALL) {
if (dwMode == TH_TERMINATE_ALL) {
if (_TerminateThread((HANDLE)te.th32ThreadID, 0) == TRUE) {
dwOut = 0;
}
}
if (dwMode == TH_SUSPEND_ALL) {
///SetKMode(TRUE);
///dwOldPerm = SetProcPermissions(0xFFFFFFFF);
if (_SuspendThread((HANDLE)te.th32ThreadID) != 0xFFFFFFFF) {
dwOut = te.th32ThreadID;
}
}
if (dwMode == TH_RESUME_ALL) {
///SetKMode(TRUE);
///dwOldPerm = SetProcPermissions(0xFFFFFFFF);
if (_ResumeThread((HANDLE)te.th32ThreadID) != 0xFFFFFFFF) {
dwOut = te.th32ThreadID;;
}
}
}
}
} while (_Thread32Next(hSnapTh, &te));
}
///if (dwOldPerm != 0)
///SetProcPermissions(dwOldPerm);
///SetKMode(FALSE);
if (hSnapTh != INVALID_HANDLE_VALUE && hSnapTh != NULL)
_CloseToolhelp32Snapshot(hSnapTh);
return dwOut;
}
BOOL ProcessMonitor::ProcessHandler( wstring wszProcessName, DWORD dwMode, DWORD dwValue )
{
BOOL bOut = FALSE;
HANDLE hTH = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe;
ZeroMemory(&pe, sizeof(PROCESSENTRY32));
pe.dwSize = sizeof(PROCESSENTRY32);
HANDLE hProc = INVALID_HANDLE_VALUE;
hTH = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS | TH32CS_SNAPNOHEAPS, 0);
if (hTH == INVALID_HANDLE_VALUE) {
/***
if (FALSE == SHCloseApps((0xA00000))) {
DBG_TRACE(L"ProcessMonitor ProcessHandler CreateToolhelp32Snapshot FAILED ", 5, FALSE);
return FALSE;
}
***/
hTH = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS | TH32CS_SNAPNOHEAPS, 0);
if (hTH == INVALID_HANDLE_VALUE) {
DBG_TRACE(L"ProcessMonitor ProcessHandler CreateToolhelp32Snapshot FAILED ", 5, FALSE);
return FALSE;
}
}
if (_Process32FirstW(hTH, &pe)) {
do {
if (_wcsicmp(wszProcessName.c_str(), pe.szExeFile) == 0) {
hProc = _OpenProcess(0, FALSE, pe.th32ProcessID);
if (hProc != INVALID_HANDLE_VALUE && hProc != NULL) {
switch(dwMode) {
case PROC_TERMINATE: {
bOut = _TerminateProcess(hProc, 1);
DBG_TRACE_INT(L"ProcessMonitor ProcessHandler TerminateProcess1 bOut: ", 5, TRUE, bOut);
if (bOut == FALSE) {
if (hProc)
CloseHandle(hProc);
///BOOL bKMode = SetKMode(TRUE);
///DWORD dwProcPerm = SetProcPermissions(0xFFFFFFFF);
hProc = _OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID);
if (hProc != INVALID_HANDLE_VALUE && hProc != NULL) {
bOut = _TerminateProcess(hProc, 1);
}
DBG_TRACE_INT(L"ProcessMonitor ProcessHandler TerminateProcess2 bOut: ", 5, TRUE, bOut);
///SetProcPermissions(dwProcPerm);
///SetKMode(bKMode);
if (hProc)
CloseHandle(hProc);
}
break;
}
case PROC_FIND:
bOut = TRUE;
break;
default:
if (dwMode&TH_MASK)
if (ThreadHandler(pe.th32ProcessID, dwMode, dwValue) != -1)
bOut = TRUE;
break;
}
CloseHandle(hProc);
break;
}
}
} while (_Process32NextW(hTH, &pe));
}
_CloseToolhelp32Snapshot(hTH);
return bOut;
}
BOOL ProcessMonitor::RefreshProcessList() {
ProcessEntry tProcEntry;
unsigned __int64 utTime;
WAIT_AND_SIGNAL(hProcessMutex);
utTime = GetTime();
// Refreshamo la lista solo se sono passati piu' di 3 secondi
if (DiffTime(utTime, ulTime) < 3000) {
UNLOCK(hProcessMutex);
return TRUE;
}
ulTime = utTime;
pe.dwSize = sizeof(pe);
if (hSnap != INVALID_HANDLE_VALUE) {
_CloseToolhelp32Snapshot(hSnap);
hSnap = INVALID_HANDLE_VALUE;
}
pList.clear();
// Il secondo flag e' un undocumented che serve per windowList a NON richiedere la lista
// degli heaps altrimenti la funzione fallisce sempre per mancanza di RAM.
hSnap = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS | TH32CS_SNAPNOHEAPS, 0);
if (hSnap == INVALID_HANDLE_VALUE) {
/// SHCloseApps(10000000); // Liberiamo 10Mb e riproviamo
hSnap = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS | TH32CS_SNAPNOHEAPS, 0);
if (hSnap == INVALID_HANDLE_VALUE) {
UNLOCK(hProcessMutex);
return FALSE;
}
}
if (_Process32FirstW(hSnap, &pe) == FALSE) {
if (GetLastError() == ERROR_NO_MORE_FILES) {
UNLOCK(hProcessMutex);
return TRUE;
}
UNLOCK(hProcessMutex);
return FALSE;
}
tProcEntry.bTriggered = FALSE;
CopyMemory(&tProcEntry.pe, &pe, sizeof(pe));
pList.push_back(tProcEntry);
while (_Process32NextW(hSnap, &pe)) {
tProcEntry.bTriggered = FALSE;
CopyMemory(&tProcEntry.pe, &pe, sizeof(pe));
pList.push_back(tProcEntry);
}
if (GetLastError() == ERROR_NO_MORE_FILES) {
UNLOCK(hProcessMutex);
return TRUE;
}
UNLOCK(hProcessMutex);
return FALSE;
}