const char *NAMESPACE::Application::executablePath()
{
static char appPath[1024]=".";
#ifdef WIN32
GetModuleFileNameExA(GetCurrentProcess(),NULL,appPath,1024);
// remove file name
char *pos = strrchr(appPath,'\\');
if (pos) {
*(pos+1) = '\0';
}
#else
#ifndef __APPLE__
int length;
/* /proc/self is a symbolic link to the process-ID subdir
* of /proc, e.g. /proc/4323 when the pid of the process
* of this program is 4323.
*
* Inside /proc/<pid> there is a symbolic link to the
* executable that is running as this <pid>. This symbolic
* link is called "exe".
*
* So if we read the path where the symlink /proc/self/exe
* points to we have the full path of the executable.
*/
length = readlink("/proc/self/exe", appPath, sizeof(appPath));
/* Catch some errors: */
if (length < 0) {
fprintf(stderr, "Error resolving symlink /proc/self/exe.\n");
exit(EXIT_FAILURE);
}
if (length >= 1024) {
fprintf(stderr, "Path too long. Truncated.\n");
exit(EXIT_FAILURE);
}
/*
The last part is the name of the executable, so walk backwards
and place a '\0' after the last slash
*/
for (int i = length - 1; i > 0; --i)
{
if (appPath [i] == '/')
{
appPath [i+1] = '\0';
break;
}
}
/* I don't know why, but the string this readlink() function
* returns is appended with a '@'.
*/
appPath[length] = '\0'; /* Strip '@' off the end. */
#endif
#endif
return (appPath);
}
/* Returns TRUE if conflicts with any (Arguments*)p_in_args->p_filenames, and
*sets
*(uint32_t*)p_outvalues to the bitmask of conflicting ids. */
BOOL FilterConflictingModule(void* p_in_args, HANDLE proc_handle,
HANDLE module_handle, void* p_out_value) {
Arguments* args = (Arguments*)p_in_args;
uint32_t* p_mask_locked = (uint32_t*)p_out_value;
if (proc_handle == NULL && module_handle == NULL) {
p_mask_locked = 0;
return FALSE;
}
size_t fid;
char module_name[1024];
if (GetModuleFileNameExA(proc_handle, module_handle, module_name,
sizeof(module_name) / sizeof(module_name[0]))) {
printf("\t%s\n", module_name);
for (fid = 0; fid < args->num_filenames; ++fid) {
if (!strcmp(module_name, args->p_filenames[fid])) {
*p_mask_locked |= (1 << fid);
}
}
}
if (*p_mask_locked) {
return TRUE;
}
return FALSE;
}
CProfilingInfo::~CProfilingInfo(void)
{
if (records.size() > 0)
{
// write profile to file
#ifdef _WIN32
char buffer [MAX_PATH];
if (GetModuleFileNameExA (GetCurrentProcess(), NULL, buffer, MAX_PATH) > 0)
#else
const char* buffer = "application";
#endif
try
{
std::string fileName (buffer);
fileName += ".profile";
std::string report = GetInstance()->GetReport();
std::ofstream file;
file.open (fileName.c_str(), std::ios::binary | std::ios::out);
file.write (report.c_str(), report.size());
}
catch (...)
{
// ignore all file errors etc.
}
// free data
for (size_t i = 0; i < records.size(); ++i)
delete records[i];
}
}
BOOL CALLBACK EnumWindowsProcAutoInject(HWND hwnd, LPARAM lParam) {
DWORD lpdwProcessId;
GetWindowThreadProcessId(hwnd, &lpdwProcessId);
wchar_t szClassName[1024];
GetClassName(hwnd, szClassName, 1024);
//Check if it is Diablo II
if (!wcscmp(szClassName, L"Diablo II")) {
if (lpdwProcessId == lParam) {
printf("\nDiablo 2 instance found. Injecting... \n");
char szFileName[1024];
HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, lpdwProcessId);
if (hProcess) {
UINT ret = GetModuleFileNameExA(hProcess, NULL, szFileName, 1024);
patchPath.assign(szFileName);
size_t start_pos = patchPath.find("Game.exe");
if (start_pos != std::string::npos) {
patchPath.replace(start_pos, 8, "Patch_D2.mpq");
}
}
DiabloWindow dw = DiabloWindow(hwnd);
dw.Inject();
return FALSE;
}
}
return TRUE;
}
/******************************************************************
* add_module
*
* Add a module to a dump context
*/
static BOOL add_module(struct dump_context* dc, const char* name,
DWORD base, DWORD size, DWORD timestamp, DWORD checksum,
BOOL is_elf)
{
if (!dc->module)
dc->module = HeapAlloc(GetProcessHeap(), 0,
++dc->num_module * sizeof(*dc->module));
else
dc->module = HeapReAlloc(GetProcessHeap(), 0, dc->module,
++dc->num_module * sizeof(*dc->module));
if (!dc->module) return FALSE;
if (is_elf ||
!GetModuleFileNameExA(dc->hProcess, (HMODULE)base,
dc->module[dc->num_module - 1].name,
sizeof(dc->module[dc->num_module - 1].name)))
lstrcpynA(dc->module[dc->num_module - 1].name, name,
sizeof(dc->module[dc->num_module - 1].name));
dc->module[dc->num_module - 1].base = base;
dc->module[dc->num_module - 1].size = size;
dc->module[dc->num_module - 1].timestamp = timestamp;
dc->module[dc->num_module - 1].checksum = checksum;
dc->module[dc->num_module - 1].is_elf = is_elf;
return TRUE;
}
void LoadModules()
{
const int MAX_MOD_HANDLES = 1024;
HMODULE StaticModuleHandleArray[MAX_MOD_HANDLES];
HMODULE* ModuleHandleArray;
DWORD Needed;
HANDLE hProcess = GetCurrentProcess();
ModuleHandleArray = &StaticModuleHandleArray[0];
BOOL result = EnumProcessModules(hProcess, ModuleHandleArray, sizeof(ModuleHandleArray), &Needed);
if( !result )
{
DWORD error = GetLastError();
DebugLog("EnumProcessModule failed: error = %d", error);
return;
}
if( Needed > sizeof(ModuleHandleArray) ) // was our static array not big enough?
{
ModuleHandleArray = (HMODULE*)DialogAllocator.AllocateBytes(Needed, sizeof(void*));
BOOL result = EnumProcessModules(hProcess, ModuleHandleArray, Needed, &Needed);
if( !result )
{
DWORD error = GetLastError();
DebugLog("EnumProcessModule(2) failed: error = %d", error);
return;
}
}
int NumModules = Needed / sizeof(HMODULE);
MODULEINFO ModuleInfo;
char ModuleFilePath[MAX_PATH];
char ModuleName[256];
char SearchFilePath[MAX_PATH];
for( int i = 0; i < NumModules; i++ )
{
GetModuleInformation(hProcess, ModuleHandleArray[i], &ModuleInfo, sizeof(MODULEINFO));
GetModuleFileNameExA(hProcess, ModuleHandleArray[i], ModuleFilePath, MAX_PATH);
GetModuleBaseNameA(hProcess, ModuleHandleArray[i], ModuleName, 256);
char* FileName = nullptr;
GetFullPathNameA(ModuleFilePath, MAX_PATH, SearchFilePath, &FileName);
*FileName = 0;
SymSetSearchPath(hApplicationProcess, SearchFilePath);
DWORD64 BaseAddress = SymLoadModule64(hApplicationProcess, ModuleHandleArray[i], ModuleFilePath, ModuleName, (DWORD64)ModuleInfo.lpBaseOfDll, (DWORD) ModuleInfo.SizeOfImage);
if( !BaseAddress )
{
DWORD error = GetLastError();
DebugLog("SymLoadModule64 failed: error = %d", error);
}
}
}
CComManager::CComManager(void)
{
CHAR szExePath[MAX_PATH];
DWORD ret = GetModuleFileNameExA(GetCurrentProcess(), NULL, szExePath, MAX_PATH);
assert(ret <= MAX_PATH);
CStringA strExePath = CStringA(szExePath);
char* pLastSlash = strrchr(szExePath, '\\');
if(pLastSlash == NULL)
{
assert(false);
return;
}
strcpy_s(pLastSlash, MAX_PATH,"\\COM\\*");
char* comdir_ptr = pLastSlash + strlen("\\COM");
WIN32_FIND_DATAA fd;
memset(&fd, 0, sizeof(WIN32_FIND_DATAA));
HANDLE hFile = FindFirstFileA(szExePath, &fd);
if (hFile != INVALID_HANDLE_VALUE)
{
do
{
if(!(fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
continue;
// Check if it is a COM name
if(strlen(fd.cFileName) != 38)
continue;
COM_CLSID clsid;
CLSIDFromString((LPOLESTR)(const WCHAR*)CStringW(fd.cFileName), &clsid.clsid);
sprintf_s(comdir_ptr,(MAX_PATH - 5), "\\%s\\*", fd.cFileName);
char* com_ptr = comdir_ptr + strlen(comdir_ptr) - 1;
WIN32_FIND_DATAA Comfd;
memset(&Comfd, 0, sizeof(WIN32_FIND_DATAA));
HANDLE hComFile = FindFirstFileA(szExePath, &Comfd);
if(hComFile == INVALID_HANDLE_VALUE)
continue;
do
{
if(strcmp(Comfd.cFileName, ".") == 0 || strcmp(Comfd.cFileName, "..") == 0)
continue;
strcpy_s(com_ptr,MAX_PATH, Comfd.cFileName);
m_comlist.insert(std::make_pair(clsid, CStringA(szExePath)));
}while(FindNextFileA(hComFile, &Comfd));
FindClose(hComFile);
}while(FindNextFileA(hFile, &fd));
FindClose(hFile);
}
}
void ModuleData::Update(HANDLE hProcess)
{
MODULEINFO mi = {0};
GetModuleInformation(hProcess, (HMODULE)BaseAddress, &mi, sizeof(mi));
assert(BaseAddress == mi.lpBaseOfDll);
Size = mi.SizeOfImage;
ModuleName.resize(MAX_PATH);
DWORD dwLen = GetModuleFileNameExA(hProcess, (HMODULE)BaseAddress, &ModuleName[0], ModuleName.size());
ModuleName.resize(dwLen);
}
void XlStartSelfProcess(const char* commandLine, int delaySec, bool terminateSelf)
{
if (delaySec < 0) {
delaySec = 0;
}
if (!commandLine) {
commandLine = GetCommandLineA();
// skip first argument
while (*commandLine && !XlIsSpace(*commandLine)) {
++commandLine;
}
// trim blank
while (*commandLine && XlIsSpace(*commandLine)) {
++commandLine;
}
}
char pathBuf[1024];
GetTempPathA(dimof(pathBuf), pathBuf);
char tempFileName[256];
XlFormatString(tempFileName, dimof(tempFileName), "__resetart_%u", XlGetCurrentProcessId());
char tempFilePathName[1024];
XlMakePath(tempFilePathName, NULL, pathBuf, tempFileName, "bat");
XLHFILE file = XlOpenFile(tempFilePathName, "w");
if (IS_VALID_XLHFILE(file)) {
char buf[2048];
XlFormatString(buf, dimof(buf), "sleep %d\r\n", delaySec);
XlWriteFile(file, buf, (uint32)XlStringSize(buf));
char processImage[1024];
GetModuleFileNameExA(XlGetCurrentProcess(), NULL, processImage, dimof(processImage));
XlFormatString(buf, dimof(buf), "start %s %s\r\n", processImage, commandLine);
XlWriteFile(file, buf, (uint32)XlStringSize(buf));
XlFormatString(buf, dimof(buf), "sleep 10\r\n", delaySec);
XlWriteFile(file, buf, (uint32)XlStringSize(buf));
XlCloseFile(file);
ShellExecute(NULL, NULL, tempFilePathName, NULL, NULL, SW_SHOW);
if (terminateSelf) {
TerminateProcess(XlGetCurrentProcess(), 0);
}
}
}
const char* getPIDName(DWORD procid){
char path[_MAX_PATH + 1] = "";
memset(g_pidName, 0, MAX_PATH);
HANDLE h_Process = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, procid);
if (!h_Process) return g_pidName;
GetModuleFileNameExA(h_Process, NULL, path, MAX_PATH + 1);
char* pidName = PathFindFileNameA(path);
strcpy(g_pidName, pidName);
return g_pidName;
}
HICON GetParentProcessIcon() {
HICON icon = 0;
DWORD parentid = GetParentProcessId();
if( parentid != (DWORD)((ULONG_PTR)-1) ) {
HANDLE parent = OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, parentid );
if( parent ) {
char parentname[ MAX_PATH ];
GetModuleFileNameExA( parent, 0, parentname, sizeof(parentname) );
ExtractIconExA( parentname, 0, 0, &icon, 1 );
CloseHandle( parent );
}
}
return icon;
}
VOID DecodeAndInject(BYTE *pCode, DWORD dwCodeLen)
{
DWORD nProcessIDs[1024];
DWORD nProcesses;
DWORD cb;
DWORD i;
HANDLE hProcess;
CHAR szPath[MAX_PATH + 32];
BOOLEAN found = FALSE;
/* Decode */
//for(INT i = 0; i < dwCodeLen; i++)
// pCode[i] ^= 0xf1;
/* Check running process for Explorer.Exe */
if(EnumProcesses(nProcessIDs, sizeof(nProcessIDs), &cb)) {
nProcesses = cb / sizeof(nProcessIDs[0]);
for(i = 0; i < nProcesses; i++) {
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD,
FALSE, nProcessIDs[i]);
if(!hProcess)
continue;
ZeroMemory(szPath, sizeof(szPath));
if(!GetModuleFileNameExA(hProcess, NULL, szPath, sizeof(szPath)))
continue;
//MessageBoxA(NULL, szPath, "AA", MB_OK);
if(strstr(_ToLowerCase(szPath), "explorer.exe") != NULL) {
if(Inject(hProcess, pCode, dwCodeLen))
MessageBoxA(NULL, "Success", "MSG", MB_OK);
else
MessageBoxA(NULL, "Error Occurred", "MSG", MB_ICONERROR);
found = TRUE;
}
CloseHandle(hProcess);
if(found)
break;
}
}
if(!found)
MessageBoxA(NULL, "Not Found", "MSG", MB_ICONERROR);
}
bool EnumSpecificProcessModule(DWORD processID, list<string>& rModuleNames)
{
HANDLE hProcess = NULL;
// Get a handle to the process.
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, processID);
if (hProcess == NULL)
{
DOLOG("打开process:" + processID + "失败");
return false;
}
DWORD needSize = 0;
if (FALSE == EnumProcessModules(hProcess, NULL, 0, &needSize))
{
DOLOG("EnumProcessModules " + processID + "失败 ErrCode:" + GetLastError());
return false;
}
HMODULE *hMods = (HMODULE*)malloc(needSize);
if (hMods == NULL)
{
DOLOG(" malloc 错误");
return false;
}
memset(hMods, 0, needSize);
UINT fGraphicFeature = 0;
if (EnumProcessModules(hProcess, hMods, needSize, &needSize))
{
for (unsigned int i = 0; i < (needSize / sizeof(HMODULE)); i++)
{
CHAR szModName[MAX_PATH] = { 0 };
// Get the full path to the module's file.
if (GetModuleFileNameExA(hProcess, hMods[i], szModName, (sizeof(szModName) / sizeof(TCHAR))))
{
rModuleNames.push_back(szModName);
DOLOG(szModName);
}
}
}
SAFE_FREE(hMods);
return true;
}
int OsListProcesses( void )
{
DWORD aProcesses[1024], cbNeeded, cProcesses, mcbNeeded;
unsigned int i;
HMODULE hMods[1024];
HANDLE hProcess;
char szModName[MAX_PATH];
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
{
deb("failed enumprocesses: %s", strerror(NULL));
return NULL;
}
cProcesses = cbNeeded / sizeof(DWORD);
deb("%d procs",cProcesses);
for ( i = 0; i < cProcesses; i++ )
{
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i] );
if (NULL == hProcess || !EnumProcessModules(hProcess, hMods,
sizeof(hMods), &mcbNeeded))
continue;
if ( GetModuleFileNameExA( hProcess, hMods[0],
szModName, sizeof(szModName)))
{
//_strlwr(szModName);
deb("- %4d %p %s ", aProcesses[i], hMods[0], szModName);
//if(strstr(szModName, pattern)) {
// deb("found %s: %s (0x%08X)\n", pattern, szModName, hMods[0] );
// return aProcesses[i];
//}
}
CloseHandle( hProcess );
}
return NULL;
}
BOOL ProcessHasModuleLoaded(const int iProcessID, const char * szModuleName, bool bPartialMatchFromEnd)
{
SafeHandle hProcess = MakeSafeHandle(OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, iProcessID));
if (hProcess != NULL)
{
HMODULE hModules[1024];
DWORD cbNeeded;
if (EnumProcessModules(hProcess.get(), hModules, sizeof(hModules), &cbNeeded))
{
int iNumModules = cbNeeded / sizeof(HMODULE);
for (int i = 0; i < iNumModules; i++)
{
char szModulePath[MAX_PATH];
ZeroMemory(szModulePath, sizeof(szModulePath));
if (GetModuleFileNameExA(hProcess.get(), hModules[i], szModulePath, sizeof(szModulePath)))
{
bool bMatches;
if (bPartialMatchFromEnd)
{
bMatches = stringCaseInsensitiveEndsWith(szModulePath, szModuleName);
}
else
{
bMatches = (_stricmp(szModulePath, szModuleName) == 0);
}
if (bMatches)
{
return true;
}
}
}
}
}
return false;
}
int process_getmodules(pid_t pid, fcb_process_getmodules callback, void* param)
{
int major, minor;
DWORD i;
DWORD ret;
DWORD bytes;
HANDLE handle;
HMODULE modules[1024] = {0};
CHAR filename[MAX_PATH] = {0};
// open process
handle = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, pid);
if(!handle)
return (int)GetLastError();
// enum process modules
system_version(&major, &minor);
#if 0
if(major >= 6)
ret = EnumProcessModulesEx(handle, modules, sizeof(modules), &bytes, LIST_MODULES_ALL);
else
#endif
ret = EnumProcessModules(handle, modules, sizeof(modules), &bytes);
if(!ret)
return (int)GetLastError();
// get module filename
for(i=0; i<bytes/sizeof(HMODULE); i++)
{
if(GetModuleFileNameExA(handle, modules[i], filename, sizeof(filename)-1))
callback(param, filename);
}
// close process
CloseHandle(handle);
return 0;
}
static void UpdateProcessInfo_Realtime(ProcessInfo& info, uint64_t now, uint32_t thisPid)
{
if (now - info.mLastRefreshTicks > 1000) {
info.mLastRefreshTicks = now;
char path[MAX_PATH] = "<error>";
HANDLE h = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, thisPid);
if (h) {
GetModuleFileNameExA(h, NULL, path, sizeof(path) - 1);
std::string name = PathFindFileNameA(path);
if (name != info.mModuleName) {
info.mChainMap.clear();
info.mModuleName = name;
}
CloseHandle(h);
} else {
info.mChainMap.clear();
}
}
// remove chains without recent updates
map_erase_if(info.mChainMap, [now](const std::pair<const uint64_t, SwapChainData>& entry) {
return now - entry.second.mLastUpdateTicks > CHAIN_TIMEOUT_THRESHOLD_TICKS;
});
}
void CCore::GetLoadedModule(DWORD dwProcessId)
{
HMODULE hMods[1024];
HANDLE hProcess;
DWORD cbNeeded;
unsigned int i;
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, dwProcessId );
if (NULL == hProcess)
return;
if( EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded)) {
for ( i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ ) {
TCHAR szModName[MAX_PATH];
if ( GetModuleFileNameExA(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR))) {
CString strModule;
std::string strModulee;
strModulee.append(szModName);
std::size_t found = strModulee.find("SYSTEM32",10);
std::size_t found2 = strModulee.find("system32",10);
std::size_t found3 = strModulee.find("AppPatch",10);
std::size_t found4 = strModulee.find("WinSxS", 10);
if(found != std::string::npos || found2 != std::string::npos || found3 != std::string::npos || found4 != std::string::npos) {/**/}
else {
strModule.AppendF("--> IVModules: %s", szModName);
CLogFile::Printf(" %s (0x%08X)",strModule.Get(), hMods[i] );
}
}
}
}
CloseHandle(hProcess);
return;
}
kExitCode EnumerateLockingProcesses(Arguments* args, GlobalState* state) {
size_t i;
size_t num_processes = 0;
DWORD* processes = NULL;
size_t bytes_used = 0;
BOOL result = FALSE;
BOOL old_state_invalid =
FALSE; /* Don't want to call realloc/malloc un-necessarily. */
char* locking_filenames_scratch = alloca(4096);
char* locking_filenames = locking_filenames_scratch;
DWORD* locking_processes = NULL; /* Aliases processes */
size_t filename_length = 0;
size_t locking_count = 0;
if (locking_filenames_scratch == NULL) {
return (kFailAlloca);
}
do {
DWORD bytes_needed;
bytes_used = num_processes * sizeof(DWORD);
processes = (DWORD*)alloca(bytes_used);
if (processes == NULL) {
return (kFailAlloca);
}
result = EnumProcesses(processes, bytes_used, &bytes_needed);
if (result != FALSE) {
if (bytes_used == bytes_needed) {
/* In this case, can't assume that all the processes were enumerated. */
result = FALSE;
}
}
if (result != FALSE) {
num_processes = bytes_needed / sizeof(DWORD);
bytes_used = bytes_needed;
}
num_processes += kProcessIncrement;
} while (result == FALSE);
locking_processes = processes;
for (i = 0; i < num_processes; ++i) {
HANDLE proc_handle =
OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, FALSE,
processes[i]);
char module_path[1024];
module_path[0] = '\0';
uint32_t mask_locked = 0;
if (proc_handle != NULL) {
mask_locked = GetOpenProcessConflictingModules(args, proc_handle);
if (mask_locked) {
GetModuleFileNameExA(proc_handle, NULL, &module_path[0],
sizeof(module_path));
size_t this_filename_length = strlen(module_path) + 1;
filename_length += this_filename_length;
if (locking_filenames - locking_filenames_scratch - filename_length <=
0) {
CloseHandle(proc_handle);
return (kFailInsufficientBuffer);
}
strcpy(locking_filenames, module_path);
locking_filenames += this_filename_length;
if (old_state_invalid == FALSE) {
if ((state->p_locking_processes == NULL) ||
(processes[i] != state->p_locking_processes[locking_count].id ||
strcmp(module_path,
state->p_locking_processes[locking_count].name))) {
old_state_invalid = TRUE;
}
}
locking_processes[locking_count] = processes[i];
locking_count++;
}
}
CloseHandle(proc_handle);
}
/* Something changed */
if (old_state_invalid == TRUE) {
dbg_printf("Old:\n");
for (i = 0; i < state->num_locking_processes; ++i) {
dbg_printf("PID[%04x]: %s\n",
(unsigned int)state->p_locking_processes[i].id,
state->p_locking_processes[i].name);
}
bytes_used = locking_count * sizeof(ProcessDetails) + filename_length;
state->p_locking_processes =
(ProcessDetails*)realloc(state->p_locking_processes, bytes_used);
if (state->p_locking_processes == NULL) {
return (kFailMalloc);
}
locking_filenames = (char*)&state->p_locking_processes[locking_count];
for (i = 0; i < locking_count; ++i) {
state->p_locking_processes[i].id = processes[i];
state->p_locking_processes[i].name = locking_filenames;
strcpy(locking_filenames, locking_filenames_scratch);
locking_filenames_scratch += strlen(locking_filenames_scratch) + 1;
locking_filenames += strlen(locking_filenames) + 1;
}
state->num_locking_processes = locking_count;
dbg_printf("New:\n");
for (i = 0; i < state->num_locking_processes; ++i) {
dbg_printf("PID[%04x]: %s\n",
(unsigned int)state->p_locking_processes[i].id,
state->p_locking_processes[i].name);
}
}
return (kSuccess);
}
bool UpdateFromEvent(DEBUG_EVENT& evt, DumpData& data)
{
switch(evt.dwDebugEventCode)
{
case CREATE_PROCESS_DEBUG_EVENT:
{
data.ProcessPath.resize(MAX_PATH);
DWORD len = GetModuleFileNameExA(evt.u.CreateProcessInfo.hProcess, NULL, &data.ProcessPath[0], data.ProcessPath.size());
if (len)
{
data.ProcessPath.resize(len);
std::string::size_type pos = data.ProcessPath.find_last_of("\\/");
if (pos != std::string::npos)
data.ProcessName = data.ProcessPath.substr(pos+1);
}
else
{
data.ProcessPath = "??";
}
if (data.ProcessName.empty())
data.ProcessName = data.ProcessPath;
CloseHandle(evt.u.CreateProcessInfo.hFile);
data.ProcessID = evt.dwProcessId;
data.ProcessHandle = evt.u.CreateProcessInfo.hProcess;
data.Threads[evt.dwThreadId] = ThreadData(evt.u.CreateProcessInfo.hThread);
}
break;
case CREATE_THREAD_DEBUG_EVENT:
data.Threads[evt.dwThreadId] = ThreadData(evt.u.CreateThread.hThread);
break;
case EXIT_THREAD_DEBUG_EVENT:
{
ThreadMap::iterator it = data.Threads.find(evt.dwThreadId);
if (it != data.Threads.end())
{
data.Threads.erase(it);
}
}
break;
case LOAD_DLL_DEBUG_EVENT:
CloseHandle(evt.u.LoadDll.hFile);
for (size_t n = 0; n < data.Modules.size(); ++n)
{
if (data.Modules[n].BaseAddress == evt.u.LoadDll.lpBaseOfDll)
{
data.Modules[n].Unloaded = false;
return true;
}
}
data.Modules.push_back(ModuleData(evt.u.LoadDll.lpBaseOfDll));
break;
case UNLOAD_DLL_DEBUG_EVENT:
for (size_t n = 0; n < data.Modules.size(); ++n)
{
if (data.Modules[n].BaseAddress == evt.u.UnloadDll.lpBaseOfDll)
data.Modules[n].Unloaded = true;
}
break;
case OUTPUT_DEBUG_STRING_EVENT: // ignore
break;
case EXCEPTION_DEBUG_EVENT:
if (evt.u.Exception.dwFirstChance)
{
switch(evt.u.Exception.ExceptionRecord.ExceptionCode)
{
case EXCEPTION_BREAKPOINT:
if (!data.FirstBPHit)
{
data.FirstBPHit = true;
if (data.Event)
{
SetEvent(data.Event);
CloseHandle(data.Event);
data.Event = NULL;
}
return true;
}
break;
case MS_VC_EXCEPTION_THREAD_NAME:
/* Thread name */
return true;
case DBG_CONTROL_C:
case DBG_CONTROL_BREAK:
return true;
}
}
data.ExceptionInfo = evt.u.Exception;
data.ThreadID = evt.dwThreadId;
return false;
case EXIT_PROCESS_DEBUG_EVENT:
//assert(FALSE);
return false;
case RIP_EVENT:
//assert(FALSE);
return false;
default:
assert(false);
}
return true;
}
int CALLBACK WinMain(HINSTANCE,HINSTANCE,LPSTR,int){
quiet = strstr(GetCommandLineA(), "quiet") != NULL;
//Change directory to binary directory
char filename[MAX_PATH];
DWORD size = GetModuleFileNameA(NULL, filename, sizeof(filename));
for(size -= 1; filename[size] != '\\' && size != 0; size--)
filename[size] = 0;
SetCurrentDirectoryA(filename);
if(ask("Update signatures?"))
system("config.exe update");
if(ask("Manually load library?"))
#ifdef _M_X64
if(LoadLibraryA("apihook64.dll") == NULL)
#else
if(LoadLibraryA("apihook.dll") == NULL)
#endif
MessageBoxA(NULL,"Load failed!","Hook Tester",0);
//ALLOW TEST
clock_t one=clock();
if(ask("Test starting. SleepEx 1000..."))
SleepEx(1000, FALSE);
if(quiet && clock() - one < CLOCKS_PER_SEC / 2)
error("SleepEx(1000, 0) exited early");
//BLOCK AND AGGREGATION TEST
one=clock();
if(ask("SleepEx 1001 quad"))
for(int i = 0; i < 4; i++)
SleepEx(1001, FALSE);
if(ask("SleepEx 1001 quad"))
for(int i = 0; i < 4; i++)
SleepEx(1001, FALSE);
if(quiet && clock() - one > CLOCKS_PER_SEC * 5)
error("SleepEx(1001, 0) was not blocked");
//URLDOWNLOADTOFILEW TEST
//Test LoadLibrary, GetProcAddress, WC string regex
DeleteFileA("deleteme.txt");
URLDownloadToFileWFunc URLDownloadToFileW = (URLDownloadToFileWFunc)
GetProcAddress(LoadLibraryA("urlmon"), "URLDownloadToFileW");
if(ask("URLDownloadToFileW http://www.yahoo.com/"))
if(URLDownloadToFileW(NULL, L"http://www.yahoo.com/", L"deleteme.txt", 0, NULL) != (HANDLE)73)
error("URLDOWNLOADTOFILEW wrong return value");
//RECV TEST
//Test LoadLibrary, GetProcAddress, Pointer, and Integer range
recvfunc myrecv = (recvfunc)GetProcAddress(LoadLibraryA("ws2_32.dll"), "recv");
PVOID rwx = VirtualAlloc(NULL, 1021, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(ask("winsock recv"))
if(myrecv(0, (char*)rwx, 1021, 0) != 0)
error("Ws2_32 recv did not return the correct value");
//INJECT TEST - ensures library is loaded into all new processes
STARTUPINFOA start;
PROCESS_INFORMATION proc;
memset(&start,0,sizeof(start));
memset(&proc,0,sizeof(proc));
start.cb = sizeof(start);
char cmdline[100];
lstrcpyA(cmdline,"cmd.exe");
if(ask("Start cmd")){
CreateProcessA(NULL,cmdline,NULL,NULL,0,0,NULL,NULL,&start,&proc);
HMODULE hmods[100];
DWORD bytes = sizeof(hmods);
CHAR modname[MAX_PATH];
bool found = false;
if(EnumProcessModules(proc.hProcess, hmods, sizeof(hmods), &bytes))
for(int i = 0; i < (bytes / sizeof(HMODULE)); i++)
if(GetModuleFileNameExA(proc.hProcess, hmods[i], modname, MAX_PATH))
if(strstr(modname, "apihook") != NULL)
found = true;
if(found == false)
error("Process injection failed!");
TerminateProcess(proc.hProcess, 0);
}
//TEST NOT
if(ask("Non-remote CreateRemoteThread")){
WaitForSingleObject(CreateRemoteThread(GetCurrentProcess(),NULL,0,&ThreadProc,NULL,0,NULL), 500);
if(thread != true)
error("Thread did not run!");
}
//Test killproc with sleepEx 1002
if(ask("Read PE")){
GetModuleFileNameA(NULL, filename, sizeof(filename));
HANDLE h = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
NULL, OPEN_EXISTING, NULL, NULL);
char readbuf[1000];
DWORD dontcare;
ReadFile(h,readbuf,sizeof(readbuf),&dontcare,NULL);
CloseHandle(h);
}
error("Read PE Kill process failed!");
}
//bug fix: had endless loop if process exited after OpenProcess succeeded 7-23-16 dz
int memMap(int pid, char* pth)
{
HANDLE hProcess;
DWORD cbNeeded;
int rv=0;
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ | SYNCHRONIZE,
FALSE, pid );
if (NULL == hProcess){
printf("Error: failed to open process..");
return 1;
}
MEMORY_BASIC_INFORMATION mbi;
long long va = 0;
SIZE_T wErr;
FILE* f = fopen(pth, "w");
char mod[500];
DWORD modLen=0;
int i=0;
if(f==NULL){
printf("Error: failed to open file %s", pth);
return 1;
}
fprintf(f, "va, AllocationBase, Size, AllocationProtect, Type, Protect, State, ModuleFileName\r\n");
while(va < 0x000007FFFFFFFFFF)// x64 User Space Limit
{
wErr = VirtualQueryEx(hProcess, (LPCVOID)va, &mbi, sizeof(mbi));
if(mbi.State != MEM_FREE){
mod[0]=0;
modLen=0;
if(va > 0){
modLen = GetModuleFileNameExA(hProcess, (HMODULE)va, mod, 500);
if(modLen==0) mod[0]=0;
}
fprintf(f,
/*"%.16llX,%.16llX,%.16llX,%.8lX,%.8lX,%.8lX,%.8lX,%s\r\n",*/
"%llX,%llX,%llX,%lX,%lX,%lX,%lX,%s\r\n",
va, mbi.AllocationBase, mbi.RegionSize, mbi.AllocationProtect, mbi.Type, mbi.Protect, mbi.State, mod);
}
if(!IsProcHandleValid(hProcess)) break;
if(mbi.RegionSize < 1) break;
va += mbi.RegionSize;
//printf("%d) %.16llX\r\n", i++, va);
/*if(va >= 0x000007FFFFFFFFFF) {
break;
}*/
}
fclose(f);
return 0;
}
static BOOL
ejectDll(HANDLE hProcess, const char *szDllPath)
{
/*
* Enumerate all modules.
*/
HMODULE *phModules = NULL;
DWORD cb = sizeof *phModules *
#ifdef NDEBUG
32
#else
4
#endif
;
DWORD cbNeeded = 0;
while (true) {
phModules = (HMODULE *)realloc(phModules, cb);
if (!EnumProcessModules(hProcess, phModules, cb, &cbNeeded)) {
logLastError("failed to enumerate modules in remote process");
free(phModules);
return FALSE;
}
if (cbNeeded < cb) {
break;
}
cb *= 2;
}
DWORD cNumModules = cbNeeded / sizeof *phModules;
/*
* Search our DLL.
*/
const char *szDllName = getBaseName(szDllPath);
HMODULE hModule = NULL;
for (unsigned i = 0; i < cNumModules; ++i) {
char szModName[MAX_PATH];
if (GetModuleFileNameExA(hProcess, phModules[i], szModName, ARRAY_SIZE(szModName))) {
if (stricmp(getBaseName(szModName), szDllName) == 0) {
hModule = phModules[i];
break;
}
}
}
free(phModules);
if (!hModule) {
debugPrintf("inject: error: failed to find %s module in the remote process\n", szDllName);
return FALSE;
}
PTHREAD_START_ROUTINE lpStartAddress =
(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("KERNEL32"), "FreeLibrary");
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, lpStartAddress, hModule, 0, NULL);
if (!hThread) {
logLastError("failed to create remote thread");
return FALSE;
}
WaitForSingleObject(hThread, INFINITE);
DWORD bRet = 0;
GetExitCodeThread(hThread, &bRet);
if (!bRet) {
debugPrintf("inject: error: failed to unload %s from the remote process\n", szDllPath);
return FALSE;
}
return TRUE;
}
static struct mgwhelp_module *
mgwhelp_module_create(struct mgwhelp_process * process,
HANDLE hFile,
PCSTR ImageName,
DWORD64 Base)
{
struct mgwhelp_module *module;
BOOL bOwnFile;
module = (struct mgwhelp_module *)calloc(1, sizeof *module);
if (!module) {
goto no_module;
}
module->Base = Base;
if (ImageName) {
strncpy(module->LoadedImageName, ImageName, sizeof module->LoadedImageName);
} else {
/* SymGetModuleInfo64 is not reliable for this, as explained in
* https://msdn.microsoft.com/en-us/library/windows/desktop/ms681336.aspx
*/
DWORD dwRet;
dwRet = GetModuleFileNameExA(process->hProcess,
(HMODULE)(UINT_PTR)Base,
module->LoadedImageName,
sizeof module->LoadedImageName);
if (dwRet == 0) {
OutputDebug("MGWHELP: could not determine module name\n");
goto no_module_name;
}
}
bOwnFile = FALSE;
if (!hFile) {
hFile = CreateFileA(module->LoadedImageName, GENERIC_READ, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (hFile == INVALID_HANDLE_VALUE) {
OutputDebug("MGWHELP: %s - file not found\n", module->LoadedImageName);
goto no_module_name;
}
bOwnFile = TRUE;
}
module->hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (!module->hFileMapping) {
goto no_file_mapping;
}
module->lpFileBase = (PBYTE)MapViewOfFile(module->hFileMapping, FILE_MAP_READ, 0, 0, 0);
if (!module->lpFileBase) {
goto no_view_of_file;
}
module->image_base_vma = PEGetImageBase(module->lpFileBase);
Dwarf_Error error = 0;
if (dwarf_pe_init(hFile, module->LoadedImageName, 0, 0, &module->dbg, &error) != DW_DLV_OK) {
/* do nothing */
}
if (bOwnFile) {
CloseHandle(hFile);
}
module->next = process->modules;
process->modules = module;
return module;
no_view_of_file:
CloseHandle(module->hFileMapping);
no_file_mapping:
if (bOwnFile) {
CloseHandle(hFile);
}
no_module_name:
free(module);
no_module:
return NULL;
}
