ProcessProxy::ProcessProxy(QString procPath) : m_procPath(procPath) , m_process(0) { connect(&m_check, SIGNAL(timeout()), this, SLOT(CheckProcess())); m_check.start(100); }
PEB32 PEBUtils::GetProcessPEB32(LPWSTR &procName) { hProcess = OpenProcess(procName); if(!CheckProcess(hProcess)) { printf("Remote Process is 64 bit but using GetProcesPeb32\n"); exit(EXIT_FAILURE); } status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), &dwLength); if(status != 0x0) { printf("NtQueryInformationProcess Error 0x%x\n", status); exit(EXIT_FAILURE); } printf("PEB address : 0x%x\n", pbi.PebBaseAddress); SIZE_T dwBytesRead = 0x0; /*SIZE_T oldP = 0; MEMORY_BASIC_INFORMATION mb; VirtualQueryEx(hProcess,(void*)pbi.PebBaseAddress,&mb,sizeof(mb)); if(!VirtualProtectEx(hProcess, (void*)pbi.PebBaseAddress, mb.RegionSize, PAGE_READONLY, &oldP)) { printf("VirtualProtect Error 0x%x", GetLastError()); exit(EXIT_FAILURE); }*/ ReadPEB(dwBytesRead); return peb32; }
bool IsProcessRunning() { DWORD dwPIDArray[MAX_PROCESSES]; //array of Process IDs DWORD dwNoProcesses; //Number of PIDs //Load the PSAPI library (WinNT, 2k, XP only) HMODULE hLib = LoadLibrary("C:\\WINDOWS\\system32\\PSAPI.dll"); if(!hLib) { //std::cout << "Unable to load PSAPI" << std::endl; return false; } //__try //{ //find the 3 functions we need for this code lpfEnumProcesses = reinterpret_cast<ENUMPROCESSES>(GetProcAddress(hLib,"EnumProcesses")); if(!lpfEnumProcesses) { //std::cout << "Unable to find EnumProcesses Func!" << std::endl; return false; } lpfEnumProcessModules = reinterpret_cast<ENUMPROCESSMODULES>(GetProcAddress(hLib,"EnumProcessModules")); if(!lpfEnumProcessModules) { //std::cout << "Unable to find EnumProcessModules Func!" << std::endl; return false; } lpfGetModuleBaseName = reinterpret_cast<GETMODULEBASENAME>(GetProcAddress(hLib,"GetModuleBaseNameA")); if(!lpfGetModuleBaseName ) { //std::cout << "Unable to find GetModuleBaseName Func!" << std::endl; return false; } //Now enumerate all processes on system if(!lpfEnumProcesses(dwPIDArray, sizeof(dwPIDArray), &dwNoProcesses)) { //std::cout << "Unable to enumerate Processes!" << std::endl; return false; } for(unsigned int i = 0; i < dwNoProcesses / sizeof(DWORD); i++) { HANDLE hProc = CheckProcess(dwPIDArray[i]); //examine process if(hProc > 0) return true; } //} //__finally //{ FreeLibrary(hLib); //release the library //} return false; }
void PEBUtils::Init() { HANDLE curProc = GetCurrentProcess(); if(CheckProcess(curProc)) { printf("Wow64 present..\n"); } hModule = GetModuleHandleA("ntdll.dll"); if(hModule == NULL) { printf("GetModuleHandle Error\n"); exit(EXIT_FAILURE); } NtQueryInformationProcess = (lpfNtQueryInformationProcess)GetProcAddress(hModule, "NtQueryInformationProcess"); if(NtQueryInformationProcess == NULL) { printf("GetProcAddress Error\n"); exit(EXIT_FAILURE); } }
PEB64 PEBUtils::GetProcessPEB64(LPWSTR &procName) { hProcess = OpenProcess(procName); if(CheckProcess(hProcess)) { printf("Remote Process is 32 bit but using GetProcesPeb64\n"); exit(EXIT_FAILURE); } status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), &dwLength); if(status != 0x0) { printf("NtQueryInformationProcess Error 0x%x\n", status); exit(EXIT_FAILURE); } printf("PEB address : 0x%x\n", pbi.PebBaseAddress); SIZE_T dwBytesRead = 0x0; ReadPEB64(dwBytesRead); return peb64; }
void ScanQMarco() { CheckModule(); CheckProcess(); //KillMe(); }