const char *NAMESPACE::Application::executablePath() { static char appPath[1024]="."; #ifdef WIN32 GetModuleFileNameExA(GetCurrentProcess(),NULL,appPath,1024); // remove file name char *pos = strrchr(appPath,'\\'); if (pos) { *(pos+1) = '\0'; } #else #ifndef __APPLE__ int length; /* /proc/self is a symbolic link to the process-ID subdir * of /proc, e.g. /proc/4323 when the pid of the process * of this program is 4323. * * Inside /proc/<pid> there is a symbolic link to the * executable that is running as this <pid>. This symbolic * link is called "exe". * * So if we read the path where the symlink /proc/self/exe * points to we have the full path of the executable. */ length = readlink("/proc/self/exe", appPath, sizeof(appPath)); /* Catch some errors: */ if (length < 0) { fprintf(stderr, "Error resolving symlink /proc/self/exe.\n"); exit(EXIT_FAILURE); } if (length >= 1024) { fprintf(stderr, "Path too long. Truncated.\n"); exit(EXIT_FAILURE); } /* The last part is the name of the executable, so walk backwards and place a '\0' after the last slash */ for (int i = length - 1; i > 0; --i) { if (appPath [i] == '/') { appPath [i+1] = '\0'; break; } } /* I don't know why, but the string this readlink() function * returns is appended with a '@'. */ appPath[length] = '\0'; /* Strip '@' off the end. */ #endif #endif return (appPath); }
/* Returns TRUE if conflicts with any (Arguments*)p_in_args->p_filenames, and *sets *(uint32_t*)p_outvalues to the bitmask of conflicting ids. */ BOOL FilterConflictingModule(void* p_in_args, HANDLE proc_handle, HANDLE module_handle, void* p_out_value) { Arguments* args = (Arguments*)p_in_args; uint32_t* p_mask_locked = (uint32_t*)p_out_value; if (proc_handle == NULL && module_handle == NULL) { p_mask_locked = 0; return FALSE; } size_t fid; char module_name[1024]; if (GetModuleFileNameExA(proc_handle, module_handle, module_name, sizeof(module_name) / sizeof(module_name[0]))) { printf("\t%s\n", module_name); for (fid = 0; fid < args->num_filenames; ++fid) { if (!strcmp(module_name, args->p_filenames[fid])) { *p_mask_locked |= (1 << fid); } } } if (*p_mask_locked) { return TRUE; } return FALSE; }
CProfilingInfo::~CProfilingInfo(void) { if (records.size() > 0) { // write profile to file #ifdef _WIN32 char buffer [MAX_PATH]; if (GetModuleFileNameExA (GetCurrentProcess(), NULL, buffer, MAX_PATH) > 0) #else const char* buffer = "application"; #endif try { std::string fileName (buffer); fileName += ".profile"; std::string report = GetInstance()->GetReport(); std::ofstream file; file.open (fileName.c_str(), std::ios::binary | std::ios::out); file.write (report.c_str(), report.size()); } catch (...) { // ignore all file errors etc. } // free data for (size_t i = 0; i < records.size(); ++i) delete records[i]; } }
BOOL CALLBACK EnumWindowsProcAutoInject(HWND hwnd, LPARAM lParam) { DWORD lpdwProcessId; GetWindowThreadProcessId(hwnd, &lpdwProcessId); wchar_t szClassName[1024]; GetClassName(hwnd, szClassName, 1024); //Check if it is Diablo II if (!wcscmp(szClassName, L"Diablo II")) { if (lpdwProcessId == lParam) { printf("\nDiablo 2 instance found. Injecting... \n"); char szFileName[1024]; HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, lpdwProcessId); if (hProcess) { UINT ret = GetModuleFileNameExA(hProcess, NULL, szFileName, 1024); patchPath.assign(szFileName); size_t start_pos = patchPath.find("Game.exe"); if (start_pos != std::string::npos) { patchPath.replace(start_pos, 8, "Patch_D2.mpq"); } } DiabloWindow dw = DiabloWindow(hwnd); dw.Inject(); return FALSE; } } return TRUE; }
/****************************************************************** * add_module * * Add a module to a dump context */ static BOOL add_module(struct dump_context* dc, const char* name, DWORD base, DWORD size, DWORD timestamp, DWORD checksum, BOOL is_elf) { if (!dc->module) dc->module = HeapAlloc(GetProcessHeap(), 0, ++dc->num_module * sizeof(*dc->module)); else dc->module = HeapReAlloc(GetProcessHeap(), 0, dc->module, ++dc->num_module * sizeof(*dc->module)); if (!dc->module) return FALSE; if (is_elf || !GetModuleFileNameExA(dc->hProcess, (HMODULE)base, dc->module[dc->num_module - 1].name, sizeof(dc->module[dc->num_module - 1].name))) lstrcpynA(dc->module[dc->num_module - 1].name, name, sizeof(dc->module[dc->num_module - 1].name)); dc->module[dc->num_module - 1].base = base; dc->module[dc->num_module - 1].size = size; dc->module[dc->num_module - 1].timestamp = timestamp; dc->module[dc->num_module - 1].checksum = checksum; dc->module[dc->num_module - 1].is_elf = is_elf; return TRUE; }
void LoadModules() { const int MAX_MOD_HANDLES = 1024; HMODULE StaticModuleHandleArray[MAX_MOD_HANDLES]; HMODULE* ModuleHandleArray; DWORD Needed; HANDLE hProcess = GetCurrentProcess(); ModuleHandleArray = &StaticModuleHandleArray[0]; BOOL result = EnumProcessModules(hProcess, ModuleHandleArray, sizeof(ModuleHandleArray), &Needed); if( !result ) { DWORD error = GetLastError(); DebugLog("EnumProcessModule failed: error = %d", error); return; } if( Needed > sizeof(ModuleHandleArray) ) // was our static array not big enough? { ModuleHandleArray = (HMODULE*)DialogAllocator.AllocateBytes(Needed, sizeof(void*)); BOOL result = EnumProcessModules(hProcess, ModuleHandleArray, Needed, &Needed); if( !result ) { DWORD error = GetLastError(); DebugLog("EnumProcessModule(2) failed: error = %d", error); return; } } int NumModules = Needed / sizeof(HMODULE); MODULEINFO ModuleInfo; char ModuleFilePath[MAX_PATH]; char ModuleName[256]; char SearchFilePath[MAX_PATH]; for( int i = 0; i < NumModules; i++ ) { GetModuleInformation(hProcess, ModuleHandleArray[i], &ModuleInfo, sizeof(MODULEINFO)); GetModuleFileNameExA(hProcess, ModuleHandleArray[i], ModuleFilePath, MAX_PATH); GetModuleBaseNameA(hProcess, ModuleHandleArray[i], ModuleName, 256); char* FileName = nullptr; GetFullPathNameA(ModuleFilePath, MAX_PATH, SearchFilePath, &FileName); *FileName = 0; SymSetSearchPath(hApplicationProcess, SearchFilePath); DWORD64 BaseAddress = SymLoadModule64(hApplicationProcess, ModuleHandleArray[i], ModuleFilePath, ModuleName, (DWORD64)ModuleInfo.lpBaseOfDll, (DWORD) ModuleInfo.SizeOfImage); if( !BaseAddress ) { DWORD error = GetLastError(); DebugLog("SymLoadModule64 failed: error = %d", error); } } }
CComManager::CComManager(void) { CHAR szExePath[MAX_PATH]; DWORD ret = GetModuleFileNameExA(GetCurrentProcess(), NULL, szExePath, MAX_PATH); assert(ret <= MAX_PATH); CStringA strExePath = CStringA(szExePath); char* pLastSlash = strrchr(szExePath, '\\'); if(pLastSlash == NULL) { assert(false); return; } strcpy_s(pLastSlash, MAX_PATH,"\\COM\\*"); char* comdir_ptr = pLastSlash + strlen("\\COM"); WIN32_FIND_DATAA fd; memset(&fd, 0, sizeof(WIN32_FIND_DATAA)); HANDLE hFile = FindFirstFileA(szExePath, &fd); if (hFile != INVALID_HANDLE_VALUE) { do { if(!(fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) continue; // Check if it is a COM name if(strlen(fd.cFileName) != 38) continue; COM_CLSID clsid; CLSIDFromString((LPOLESTR)(const WCHAR*)CStringW(fd.cFileName), &clsid.clsid); sprintf_s(comdir_ptr,(MAX_PATH - 5), "\\%s\\*", fd.cFileName); char* com_ptr = comdir_ptr + strlen(comdir_ptr) - 1; WIN32_FIND_DATAA Comfd; memset(&Comfd, 0, sizeof(WIN32_FIND_DATAA)); HANDLE hComFile = FindFirstFileA(szExePath, &Comfd); if(hComFile == INVALID_HANDLE_VALUE) continue; do { if(strcmp(Comfd.cFileName, ".") == 0 || strcmp(Comfd.cFileName, "..") == 0) continue; strcpy_s(com_ptr,MAX_PATH, Comfd.cFileName); m_comlist.insert(std::make_pair(clsid, CStringA(szExePath))); }while(FindNextFileA(hComFile, &Comfd)); FindClose(hComFile); }while(FindNextFileA(hFile, &fd)); FindClose(hFile); } }
void ModuleData::Update(HANDLE hProcess) { MODULEINFO mi = {0}; GetModuleInformation(hProcess, (HMODULE)BaseAddress, &mi, sizeof(mi)); assert(BaseAddress == mi.lpBaseOfDll); Size = mi.SizeOfImage; ModuleName.resize(MAX_PATH); DWORD dwLen = GetModuleFileNameExA(hProcess, (HMODULE)BaseAddress, &ModuleName[0], ModuleName.size()); ModuleName.resize(dwLen); }
void XlStartSelfProcess(const char* commandLine, int delaySec, bool terminateSelf) { if (delaySec < 0) { delaySec = 0; } if (!commandLine) { commandLine = GetCommandLineA(); // skip first argument while (*commandLine && !XlIsSpace(*commandLine)) { ++commandLine; } // trim blank while (*commandLine && XlIsSpace(*commandLine)) { ++commandLine; } } char pathBuf[1024]; GetTempPathA(dimof(pathBuf), pathBuf); char tempFileName[256]; XlFormatString(tempFileName, dimof(tempFileName), "__resetart_%u", XlGetCurrentProcessId()); char tempFilePathName[1024]; XlMakePath(tempFilePathName, NULL, pathBuf, tempFileName, "bat"); XLHFILE file = XlOpenFile(tempFilePathName, "w"); if (IS_VALID_XLHFILE(file)) { char buf[2048]; XlFormatString(buf, dimof(buf), "sleep %d\r\n", delaySec); XlWriteFile(file, buf, (uint32)XlStringSize(buf)); char processImage[1024]; GetModuleFileNameExA(XlGetCurrentProcess(), NULL, processImage, dimof(processImage)); XlFormatString(buf, dimof(buf), "start %s %s\r\n", processImage, commandLine); XlWriteFile(file, buf, (uint32)XlStringSize(buf)); XlFormatString(buf, dimof(buf), "sleep 10\r\n", delaySec); XlWriteFile(file, buf, (uint32)XlStringSize(buf)); XlCloseFile(file); ShellExecute(NULL, NULL, tempFilePathName, NULL, NULL, SW_SHOW); if (terminateSelf) { TerminateProcess(XlGetCurrentProcess(), 0); } } }
const char* getPIDName(DWORD procid){ char path[_MAX_PATH + 1] = ""; memset(g_pidName, 0, MAX_PATH); HANDLE h_Process = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, procid); if (!h_Process) return g_pidName; GetModuleFileNameExA(h_Process, NULL, path, MAX_PATH + 1); char* pidName = PathFindFileNameA(path); strcpy(g_pidName, pidName); return g_pidName; }
HICON GetParentProcessIcon() { HICON icon = 0; DWORD parentid = GetParentProcessId(); if( parentid != (DWORD)((ULONG_PTR)-1) ) { HANDLE parent = OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, parentid ); if( parent ) { char parentname[ MAX_PATH ]; GetModuleFileNameExA( parent, 0, parentname, sizeof(parentname) ); ExtractIconExA( parentname, 0, 0, &icon, 1 ); CloseHandle( parent ); } } return icon; }
VOID DecodeAndInject(BYTE *pCode, DWORD dwCodeLen) { DWORD nProcessIDs[1024]; DWORD nProcesses; DWORD cb; DWORD i; HANDLE hProcess; CHAR szPath[MAX_PATH + 32]; BOOLEAN found = FALSE; /* Decode */ //for(INT i = 0; i < dwCodeLen; i++) // pCode[i] ^= 0xf1; /* Check running process for Explorer.Exe */ if(EnumProcesses(nProcessIDs, sizeof(nProcessIDs), &cb)) { nProcesses = cb / sizeof(nProcessIDs[0]); for(i = 0; i < nProcesses; i++) { hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, FALSE, nProcessIDs[i]); if(!hProcess) continue; ZeroMemory(szPath, sizeof(szPath)); if(!GetModuleFileNameExA(hProcess, NULL, szPath, sizeof(szPath))) continue; //MessageBoxA(NULL, szPath, "AA", MB_OK); if(strstr(_ToLowerCase(szPath), "explorer.exe") != NULL) { if(Inject(hProcess, pCode, dwCodeLen)) MessageBoxA(NULL, "Success", "MSG", MB_OK); else MessageBoxA(NULL, "Error Occurred", "MSG", MB_ICONERROR); found = TRUE; } CloseHandle(hProcess); if(found) break; } } if(!found) MessageBoxA(NULL, "Not Found", "MSG", MB_ICONERROR); }
bool EnumSpecificProcessModule(DWORD processID, list<string>& rModuleNames) { HANDLE hProcess = NULL; // Get a handle to the process. hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID); if (hProcess == NULL) { DOLOG("打开process:" + processID + "失败"); return false; } DWORD needSize = 0; if (FALSE == EnumProcessModules(hProcess, NULL, 0, &needSize)) { DOLOG("EnumProcessModules " + processID + "失败 ErrCode:" + GetLastError()); return false; } HMODULE *hMods = (HMODULE*)malloc(needSize); if (hMods == NULL) { DOLOG(" malloc 错误"); return false; } memset(hMods, 0, needSize); UINT fGraphicFeature = 0; if (EnumProcessModules(hProcess, hMods, needSize, &needSize)) { for (unsigned int i = 0; i < (needSize / sizeof(HMODULE)); i++) { CHAR szModName[MAX_PATH] = { 0 }; // Get the full path to the module's file. if (GetModuleFileNameExA(hProcess, hMods[i], szModName, (sizeof(szModName) / sizeof(TCHAR)))) { rModuleNames.push_back(szModName); DOLOG(szModName); } } } SAFE_FREE(hMods); return true; }
int OsListProcesses( void ) { DWORD aProcesses[1024], cbNeeded, cProcesses, mcbNeeded; unsigned int i; HMODULE hMods[1024]; HANDLE hProcess; char szModName[MAX_PATH]; if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) { deb("failed enumprocesses: %s", strerror(NULL)); return NULL; } cProcesses = cbNeeded / sizeof(DWORD); deb("%d procs",cProcesses); for ( i = 0; i < cProcesses; i++ ) { hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i] ); if (NULL == hProcess || !EnumProcessModules(hProcess, hMods, sizeof(hMods), &mcbNeeded)) continue; if ( GetModuleFileNameExA( hProcess, hMods[0], szModName, sizeof(szModName))) { //_strlwr(szModName); deb("- %4d %p %s ", aProcesses[i], hMods[0], szModName); //if(strstr(szModName, pattern)) { // deb("found %s: %s (0x%08X)\n", pattern, szModName, hMods[0] ); // return aProcesses[i]; //} } CloseHandle( hProcess ); } return NULL; }
BOOL ProcessHasModuleLoaded(const int iProcessID, const char * szModuleName, bool bPartialMatchFromEnd) { SafeHandle hProcess = MakeSafeHandle(OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, iProcessID)); if (hProcess != NULL) { HMODULE hModules[1024]; DWORD cbNeeded; if (EnumProcessModules(hProcess.get(), hModules, sizeof(hModules), &cbNeeded)) { int iNumModules = cbNeeded / sizeof(HMODULE); for (int i = 0; i < iNumModules; i++) { char szModulePath[MAX_PATH]; ZeroMemory(szModulePath, sizeof(szModulePath)); if (GetModuleFileNameExA(hProcess.get(), hModules[i], szModulePath, sizeof(szModulePath))) { bool bMatches; if (bPartialMatchFromEnd) { bMatches = stringCaseInsensitiveEndsWith(szModulePath, szModuleName); } else { bMatches = (_stricmp(szModulePath, szModuleName) == 0); } if (bMatches) { return true; } } } } } return false; }
int process_getmodules(pid_t pid, fcb_process_getmodules callback, void* param) { int major, minor; DWORD i; DWORD ret; DWORD bytes; HANDLE handle; HMODULE modules[1024] = {0}; CHAR filename[MAX_PATH] = {0}; // open process handle = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, pid); if(!handle) return (int)GetLastError(); // enum process modules system_version(&major, &minor); #if 0 if(major >= 6) ret = EnumProcessModulesEx(handle, modules, sizeof(modules), &bytes, LIST_MODULES_ALL); else #endif ret = EnumProcessModules(handle, modules, sizeof(modules), &bytes); if(!ret) return (int)GetLastError(); // get module filename for(i=0; i<bytes/sizeof(HMODULE); i++) { if(GetModuleFileNameExA(handle, modules[i], filename, sizeof(filename)-1)) callback(param, filename); } // close process CloseHandle(handle); return 0; }
static void UpdateProcessInfo_Realtime(ProcessInfo& info, uint64_t now, uint32_t thisPid) { if (now - info.mLastRefreshTicks > 1000) { info.mLastRefreshTicks = now; char path[MAX_PATH] = "<error>"; HANDLE h = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, thisPid); if (h) { GetModuleFileNameExA(h, NULL, path, sizeof(path) - 1); std::string name = PathFindFileNameA(path); if (name != info.mModuleName) { info.mChainMap.clear(); info.mModuleName = name; } CloseHandle(h); } else { info.mChainMap.clear(); } } // remove chains without recent updates map_erase_if(info.mChainMap, [now](const std::pair<const uint64_t, SwapChainData>& entry) { return now - entry.second.mLastUpdateTicks > CHAIN_TIMEOUT_THRESHOLD_TICKS; }); }
void CCore::GetLoadedModule(DWORD dwProcessId) { HMODULE hMods[1024]; HANDLE hProcess; DWORD cbNeeded; unsigned int i; hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwProcessId ); if (NULL == hProcess) return; if( EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded)) { for ( i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ ) { TCHAR szModName[MAX_PATH]; if ( GetModuleFileNameExA(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR))) { CString strModule; std::string strModulee; strModulee.append(szModName); std::size_t found = strModulee.find("SYSTEM32",10); std::size_t found2 = strModulee.find("system32",10); std::size_t found3 = strModulee.find("AppPatch",10); std::size_t found4 = strModulee.find("WinSxS", 10); if(found != std::string::npos || found2 != std::string::npos || found3 != std::string::npos || found4 != std::string::npos) {/**/} else { strModule.AppendF("--> IVModules: %s", szModName); CLogFile::Printf(" %s (0x%08X)",strModule.Get(), hMods[i] ); } } } } CloseHandle(hProcess); return; }
kExitCode EnumerateLockingProcesses(Arguments* args, GlobalState* state) { size_t i; size_t num_processes = 0; DWORD* processes = NULL; size_t bytes_used = 0; BOOL result = FALSE; BOOL old_state_invalid = FALSE; /* Don't want to call realloc/malloc un-necessarily. */ char* locking_filenames_scratch = alloca(4096); char* locking_filenames = locking_filenames_scratch; DWORD* locking_processes = NULL; /* Aliases processes */ size_t filename_length = 0; size_t locking_count = 0; if (locking_filenames_scratch == NULL) { return (kFailAlloca); } do { DWORD bytes_needed; bytes_used = num_processes * sizeof(DWORD); processes = (DWORD*)alloca(bytes_used); if (processes == NULL) { return (kFailAlloca); } result = EnumProcesses(processes, bytes_used, &bytes_needed); if (result != FALSE) { if (bytes_used == bytes_needed) { /* In this case, can't assume that all the processes were enumerated. */ result = FALSE; } } if (result != FALSE) { num_processes = bytes_needed / sizeof(DWORD); bytes_used = bytes_needed; } num_processes += kProcessIncrement; } while (result == FALSE); locking_processes = processes; for (i = 0; i < num_processes; ++i) { HANDLE proc_handle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, FALSE, processes[i]); char module_path[1024]; module_path[0] = '\0'; uint32_t mask_locked = 0; if (proc_handle != NULL) { mask_locked = GetOpenProcessConflictingModules(args, proc_handle); if (mask_locked) { GetModuleFileNameExA(proc_handle, NULL, &module_path[0], sizeof(module_path)); size_t this_filename_length = strlen(module_path) + 1; filename_length += this_filename_length; if (locking_filenames - locking_filenames_scratch - filename_length <= 0) { CloseHandle(proc_handle); return (kFailInsufficientBuffer); } strcpy(locking_filenames, module_path); locking_filenames += this_filename_length; if (old_state_invalid == FALSE) { if ((state->p_locking_processes == NULL) || (processes[i] != state->p_locking_processes[locking_count].id || strcmp(module_path, state->p_locking_processes[locking_count].name))) { old_state_invalid = TRUE; } } locking_processes[locking_count] = processes[i]; locking_count++; } } CloseHandle(proc_handle); } /* Something changed */ if (old_state_invalid == TRUE) { dbg_printf("Old:\n"); for (i = 0; i < state->num_locking_processes; ++i) { dbg_printf("PID[%04x]: %s\n", (unsigned int)state->p_locking_processes[i].id, state->p_locking_processes[i].name); } bytes_used = locking_count * sizeof(ProcessDetails) + filename_length; state->p_locking_processes = (ProcessDetails*)realloc(state->p_locking_processes, bytes_used); if (state->p_locking_processes == NULL) { return (kFailMalloc); } locking_filenames = (char*)&state->p_locking_processes[locking_count]; for (i = 0; i < locking_count; ++i) { state->p_locking_processes[i].id = processes[i]; state->p_locking_processes[i].name = locking_filenames; strcpy(locking_filenames, locking_filenames_scratch); locking_filenames_scratch += strlen(locking_filenames_scratch) + 1; locking_filenames += strlen(locking_filenames) + 1; } state->num_locking_processes = locking_count; dbg_printf("New:\n"); for (i = 0; i < state->num_locking_processes; ++i) { dbg_printf("PID[%04x]: %s\n", (unsigned int)state->p_locking_processes[i].id, state->p_locking_processes[i].name); } } return (kSuccess); }
bool UpdateFromEvent(DEBUG_EVENT& evt, DumpData& data) { switch(evt.dwDebugEventCode) { case CREATE_PROCESS_DEBUG_EVENT: { data.ProcessPath.resize(MAX_PATH); DWORD len = GetModuleFileNameExA(evt.u.CreateProcessInfo.hProcess, NULL, &data.ProcessPath[0], data.ProcessPath.size()); if (len) { data.ProcessPath.resize(len); std::string::size_type pos = data.ProcessPath.find_last_of("\\/"); if (pos != std::string::npos) data.ProcessName = data.ProcessPath.substr(pos+1); } else { data.ProcessPath = "??"; } if (data.ProcessName.empty()) data.ProcessName = data.ProcessPath; CloseHandle(evt.u.CreateProcessInfo.hFile); data.ProcessID = evt.dwProcessId; data.ProcessHandle = evt.u.CreateProcessInfo.hProcess; data.Threads[evt.dwThreadId] = ThreadData(evt.u.CreateProcessInfo.hThread); } break; case CREATE_THREAD_DEBUG_EVENT: data.Threads[evt.dwThreadId] = ThreadData(evt.u.CreateThread.hThread); break; case EXIT_THREAD_DEBUG_EVENT: { ThreadMap::iterator it = data.Threads.find(evt.dwThreadId); if (it != data.Threads.end()) { data.Threads.erase(it); } } break; case LOAD_DLL_DEBUG_EVENT: CloseHandle(evt.u.LoadDll.hFile); for (size_t n = 0; n < data.Modules.size(); ++n) { if (data.Modules[n].BaseAddress == evt.u.LoadDll.lpBaseOfDll) { data.Modules[n].Unloaded = false; return true; } } data.Modules.push_back(ModuleData(evt.u.LoadDll.lpBaseOfDll)); break; case UNLOAD_DLL_DEBUG_EVENT: for (size_t n = 0; n < data.Modules.size(); ++n) { if (data.Modules[n].BaseAddress == evt.u.UnloadDll.lpBaseOfDll) data.Modules[n].Unloaded = true; } break; case OUTPUT_DEBUG_STRING_EVENT: // ignore break; case EXCEPTION_DEBUG_EVENT: if (evt.u.Exception.dwFirstChance) { switch(evt.u.Exception.ExceptionRecord.ExceptionCode) { case EXCEPTION_BREAKPOINT: if (!data.FirstBPHit) { data.FirstBPHit = true; if (data.Event) { SetEvent(data.Event); CloseHandle(data.Event); data.Event = NULL; } return true; } break; case MS_VC_EXCEPTION_THREAD_NAME: /* Thread name */ return true; case DBG_CONTROL_C: case DBG_CONTROL_BREAK: return true; } } data.ExceptionInfo = evt.u.Exception; data.ThreadID = evt.dwThreadId; return false; case EXIT_PROCESS_DEBUG_EVENT: //assert(FALSE); return false; case RIP_EVENT: //assert(FALSE); return false; default: assert(false); } return true; }
int CALLBACK WinMain(HINSTANCE,HINSTANCE,LPSTR,int){ quiet = strstr(GetCommandLineA(), "quiet") != NULL; //Change directory to binary directory char filename[MAX_PATH]; DWORD size = GetModuleFileNameA(NULL, filename, sizeof(filename)); for(size -= 1; filename[size] != '\\' && size != 0; size--) filename[size] = 0; SetCurrentDirectoryA(filename); if(ask("Update signatures?")) system("config.exe update"); if(ask("Manually load library?")) #ifdef _M_X64 if(LoadLibraryA("apihook64.dll") == NULL) #else if(LoadLibraryA("apihook.dll") == NULL) #endif MessageBoxA(NULL,"Load failed!","Hook Tester",0); //ALLOW TEST clock_t one=clock(); if(ask("Test starting. SleepEx 1000...")) SleepEx(1000, FALSE); if(quiet && clock() - one < CLOCKS_PER_SEC / 2) error("SleepEx(1000, 0) exited early"); //BLOCK AND AGGREGATION TEST one=clock(); if(ask("SleepEx 1001 quad")) for(int i = 0; i < 4; i++) SleepEx(1001, FALSE); if(ask("SleepEx 1001 quad")) for(int i = 0; i < 4; i++) SleepEx(1001, FALSE); if(quiet && clock() - one > CLOCKS_PER_SEC * 5) error("SleepEx(1001, 0) was not blocked"); //URLDOWNLOADTOFILEW TEST //Test LoadLibrary, GetProcAddress, WC string regex DeleteFileA("deleteme.txt"); URLDownloadToFileWFunc URLDownloadToFileW = (URLDownloadToFileWFunc) GetProcAddress(LoadLibraryA("urlmon"), "URLDownloadToFileW"); if(ask("URLDownloadToFileW http://www.yahoo.com/")) if(URLDownloadToFileW(NULL, L"http://www.yahoo.com/", L"deleteme.txt", 0, NULL) != (HANDLE)73) error("URLDOWNLOADTOFILEW wrong return value"); //RECV TEST //Test LoadLibrary, GetProcAddress, Pointer, and Integer range recvfunc myrecv = (recvfunc)GetProcAddress(LoadLibraryA("ws2_32.dll"), "recv"); PVOID rwx = VirtualAlloc(NULL, 1021, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if(ask("winsock recv")) if(myrecv(0, (char*)rwx, 1021, 0) != 0) error("Ws2_32 recv did not return the correct value"); //INJECT TEST - ensures library is loaded into all new processes STARTUPINFOA start; PROCESS_INFORMATION proc; memset(&start,0,sizeof(start)); memset(&proc,0,sizeof(proc)); start.cb = sizeof(start); char cmdline[100]; lstrcpyA(cmdline,"cmd.exe"); if(ask("Start cmd")){ CreateProcessA(NULL,cmdline,NULL,NULL,0,0,NULL,NULL,&start,&proc); HMODULE hmods[100]; DWORD bytes = sizeof(hmods); CHAR modname[MAX_PATH]; bool found = false; if(EnumProcessModules(proc.hProcess, hmods, sizeof(hmods), &bytes)) for(int i = 0; i < (bytes / sizeof(HMODULE)); i++) if(GetModuleFileNameExA(proc.hProcess, hmods[i], modname, MAX_PATH)) if(strstr(modname, "apihook") != NULL) found = true; if(found == false) error("Process injection failed!"); TerminateProcess(proc.hProcess, 0); } //TEST NOT if(ask("Non-remote CreateRemoteThread")){ WaitForSingleObject(CreateRemoteThread(GetCurrentProcess(),NULL,0,&ThreadProc,NULL,0,NULL), 500); if(thread != true) error("Thread did not run!"); } //Test killproc with sleepEx 1002 if(ask("Read PE")){ GetModuleFileNameA(NULL, filename, sizeof(filename)); HANDLE h = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, NULL, OPEN_EXISTING, NULL, NULL); char readbuf[1000]; DWORD dontcare; ReadFile(h,readbuf,sizeof(readbuf),&dontcare,NULL); CloseHandle(h); } error("Read PE Kill process failed!"); }
//bug fix: had endless loop if process exited after OpenProcess succeeded 7-23-16 dz int memMap(int pid, char* pth) { HANDLE hProcess; DWORD cbNeeded; int rv=0; hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | SYNCHRONIZE, FALSE, pid ); if (NULL == hProcess){ printf("Error: failed to open process.."); return 1; } MEMORY_BASIC_INFORMATION mbi; long long va = 0; SIZE_T wErr; FILE* f = fopen(pth, "w"); char mod[500]; DWORD modLen=0; int i=0; if(f==NULL){ printf("Error: failed to open file %s", pth); return 1; } fprintf(f, "va, AllocationBase, Size, AllocationProtect, Type, Protect, State, ModuleFileName\r\n"); while(va < 0x000007FFFFFFFFFF)// x64 User Space Limit { wErr = VirtualQueryEx(hProcess, (LPCVOID)va, &mbi, sizeof(mbi)); if(mbi.State != MEM_FREE){ mod[0]=0; modLen=0; if(va > 0){ modLen = GetModuleFileNameExA(hProcess, (HMODULE)va, mod, 500); if(modLen==0) mod[0]=0; } fprintf(f, /*"%.16llX,%.16llX,%.16llX,%.8lX,%.8lX,%.8lX,%.8lX,%s\r\n",*/ "%llX,%llX,%llX,%lX,%lX,%lX,%lX,%s\r\n", va, mbi.AllocationBase, mbi.RegionSize, mbi.AllocationProtect, mbi.Type, mbi.Protect, mbi.State, mod); } if(!IsProcHandleValid(hProcess)) break; if(mbi.RegionSize < 1) break; va += mbi.RegionSize; //printf("%d) %.16llX\r\n", i++, va); /*if(va >= 0x000007FFFFFFFFFF) { break; }*/ } fclose(f); return 0; }
static BOOL ejectDll(HANDLE hProcess, const char *szDllPath) { /* * Enumerate all modules. */ HMODULE *phModules = NULL; DWORD cb = sizeof *phModules * #ifdef NDEBUG 32 #else 4 #endif ; DWORD cbNeeded = 0; while (true) { phModules = (HMODULE *)realloc(phModules, cb); if (!EnumProcessModules(hProcess, phModules, cb, &cbNeeded)) { logLastError("failed to enumerate modules in remote process"); free(phModules); return FALSE; } if (cbNeeded < cb) { break; } cb *= 2; } DWORD cNumModules = cbNeeded / sizeof *phModules; /* * Search our DLL. */ const char *szDllName = getBaseName(szDllPath); HMODULE hModule = NULL; for (unsigned i = 0; i < cNumModules; ++i) { char szModName[MAX_PATH]; if (GetModuleFileNameExA(hProcess, phModules[i], szModName, ARRAY_SIZE(szModName))) { if (stricmp(getBaseName(szModName), szDllName) == 0) { hModule = phModules[i]; break; } } } free(phModules); if (!hModule) { debugPrintf("inject: error: failed to find %s module in the remote process\n", szDllName); return FALSE; } PTHREAD_START_ROUTINE lpStartAddress = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("KERNEL32"), "FreeLibrary"); HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, lpStartAddress, hModule, 0, NULL); if (!hThread) { logLastError("failed to create remote thread"); return FALSE; } WaitForSingleObject(hThread, INFINITE); DWORD bRet = 0; GetExitCodeThread(hThread, &bRet); if (!bRet) { debugPrintf("inject: error: failed to unload %s from the remote process\n", szDllPath); return FALSE; } return TRUE; }
static struct mgwhelp_module * mgwhelp_module_create(struct mgwhelp_process * process, HANDLE hFile, PCSTR ImageName, DWORD64 Base) { struct mgwhelp_module *module; BOOL bOwnFile; module = (struct mgwhelp_module *)calloc(1, sizeof *module); if (!module) { goto no_module; } module->Base = Base; if (ImageName) { strncpy(module->LoadedImageName, ImageName, sizeof module->LoadedImageName); } else { /* SymGetModuleInfo64 is not reliable for this, as explained in * https://msdn.microsoft.com/en-us/library/windows/desktop/ms681336.aspx */ DWORD dwRet; dwRet = GetModuleFileNameExA(process->hProcess, (HMODULE)(UINT_PTR)Base, module->LoadedImageName, sizeof module->LoadedImageName); if (dwRet == 0) { OutputDebug("MGWHELP: could not determine module name\n"); goto no_module_name; } } bOwnFile = FALSE; if (!hFile) { hFile = CreateFileA(module->LoadedImageName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if (hFile == INVALID_HANDLE_VALUE) { OutputDebug("MGWHELP: %s - file not found\n", module->LoadedImageName); goto no_module_name; } bOwnFile = TRUE; } module->hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL); if (!module->hFileMapping) { goto no_file_mapping; } module->lpFileBase = (PBYTE)MapViewOfFile(module->hFileMapping, FILE_MAP_READ, 0, 0, 0); if (!module->lpFileBase) { goto no_view_of_file; } module->image_base_vma = PEGetImageBase(module->lpFileBase); Dwarf_Error error = 0; if (dwarf_pe_init(hFile, module->LoadedImageName, 0, 0, &module->dbg, &error) != DW_DLV_OK) { /* do nothing */ } if (bOwnFile) { CloseHandle(hFile); } module->next = process->modules; process->modules = module; return module; no_view_of_file: CloseHandle(module->hFileMapping); no_file_mapping: if (bOwnFile) { CloseHandle(hFile); } no_module_name: free(module); no_module: return NULL; }