├── Klog ├── code32.asm ├── code64.asm ├── log.cpp └── log.h ├── MEM DUMP ├── .manifest ├── MemDump.cpp ├── MemDump.rc ├── MemDump.rc2 ├── StdAfx.cpp ├── StdAfx.h ├── cfg.cpp ├── mem.ico ├── qpm.cpp ├── resource.h ├── x64 │ └── MemDump.exe └── x86 │ └── MemDump.exe ├── PP ├── CFG.cpp ├── DllList.cpp ├── Policy.cpp ├── Processes.exe ├── buf.cpp ├── buf.h ├── common.h ├── qpm.cpp ├── qpm.h ├── tmp.cpp └── tmp2.cpp ├── WOW ├── wow.cpp └── wow.h ├── X64 ├── ListProtected.exe ├── MemDump.exe └── lgSessions.exe └── X86 ├── ListProtected.exe ├── MemDump.exe └── lgSessions.exe /Klog/code32.asm: -------------------------------------------------------------------------------- 1 | .686 2 | extern __imp_@ObfDereferenceObject@4:DWORD 3 | 4 | extern ?LogRoutine@LogData@NT@@YGXXZ : PROC ; void __stdcall NT::LogData::LogRoutine(void) 5 | 6 | _TEXT SEGMENT 7 | 8 | ?LogRoutine@LogData@NT@@YGXPAX@Z proc 9 | 10 | call ?LogRoutine@LogData@NT@@YGXXZ 11 | pop ecx ; return address 12 | xchg [esp],ecx 13 | jmp __imp_@ObfDereferenceObject@4 14 | 15 | ?LogRoutine@LogData@NT@@YGXPAX@Z endp 16 | 17 | _TEXT ENDS 18 | 19 | END -------------------------------------------------------------------------------- /Klog/code64.asm: -------------------------------------------------------------------------------- 1 | 2 | extern __imp_ObfDereferenceObject:QWORD 3 | 4 | extern ?LogRoutine@LogData@NT@@YAXXZ : PROC ; void __cdecl NT::LogData::LogRoutine(void) 5 | 6 | _TEXT segment 7 | 8 | ?LogRoutine@LogData@NT@@YAXPEAX@Z proc 9 | 10 | mov [rsp + 8],rcx ; DriverObject 11 | sub rsp,28h 12 | call ?LogRoutine@LogData@NT@@YAXXZ 13 | add rsp,28h 14 | mov rcx,[rsp + 8] ; DriverObject 15 | jmp __imp_ObfDereferenceObject 16 | 17 | ?LogRoutine@LogData@NT@@YAXPEAX@Z endp 18 | 19 | _TEXT ends 20 | end -------------------------------------------------------------------------------- /Klog/log.cpp: -------------------------------------------------------------------------------- 1 | #include "StdAfx.h" 2 | 3 | //#define _PRINT_CPP_NAMES_ 4 | #include "../inc/asmfunc.h" 5 | 6 | _NT_BEGIN 7 | 8 | #include "log.h" 9 | 10 | extern "C" 11 | NTSYSAPI 12 | BOOLEAN 13 | NTAPI 14 | KeAlertThread( 15 | IN PKTHREAD Thread, 16 | IN KPROCESSOR_MODE AlertMode 17 | ); 18 | 19 | namespace LogData 20 | { 21 | NPAGED_LOOKASIDE_LIST gLookaside; 22 | LARGE_INTEGER ByteOffset = {}; 23 | FILE_END_OF_FILE_INFORMATION eof = {}; 24 | EX_RUNDOWN_REF gRunRef; 25 | PKTHREAD gLogThread; 26 | HANDLE ghLog; 27 | volatile BOOLEAN gExit; 28 | 29 | enum { max_log_entry_size = 0x400 }; 30 | 31 | VOID NTAPI KernelRoutine( 32 | PKAPC /*Apc*/, 33 | PKNORMAL_ROUTINE * /*NormalRoutine*/, 34 | PVOID * /*NormalContext*/, 35 | PVOID * /*SystemArgument1*/, 36 | PVOID * /*SystemArgument2*/ 37 | ) 38 | { 39 | } 40 | 41 | VOID NTAPI IoApcRoutine ( 42 | _In_ PVOID ApcContext, 43 | _In_ PIO_STATUS_BLOCK IoStatusBlock, 44 | _In_ ULONG /*Reserved*/ 45 | ) 46 | { 47 | if (0 > IoStatusBlock->Status) 48 | { 49 | DbgPrint("NtWriteFile(%x, %p)\n", IoStatusBlock->Status, IoStatusBlock->Information); 50 | } 51 | 52 | ExFreeToNPagedLookasideList(&gLookaside, ApcContext); 53 | ExReleaseRundownProtection(&gRunRef); 54 | } 55 | 56 | VOID NTAPI NormalRoutine(PVOID Apc, PVOID Buffer, PVOID Length) 57 | { 58 | LONGLONG NewByteOffset = ByteOffset.QuadPart + (ULONG)(ULONG_PTR)Length; 59 | 60 | if (eof.EndOfFile.QuadPart < NewByteOffset) 61 | { 62 | eof.EndOfFile.QuadPart = (NewByteOffset + 0xffff) & ~0xffff; 63 | IO_STATUS_BLOCK iosb; 64 | NtSetInformationFile(ghLog, &iosb, &eof, sizeof(eof), FileEndOfFileInformation); 65 | NtSetInformationFile(ghLog, &iosb, &eof, sizeof(eof), FileAllocationInformation); 66 | } 67 | 68 | // we insert APC to own created thread, which already hold driver 69 | NTSTATUS status = NtWriteFile(ghLog, 0, IoApcRoutine, Apc, (PIO_STATUS_BLOCK)Apc, Buffer, (ULONG)(ULONG_PTR)Length, &ByteOffset, 0); 70 | 71 | if (NT_ERROR(status)) 72 | { 73 | reinterpret_cast(Apc)->Status = status; 74 | reinterpret_cast(Apc)->Information = 0; 75 | IoApcRoutine(Apc, (PIO_STATUS_BLOCK)Apc, 0); 76 | } 77 | else 78 | { 79 | if (status != STATUS_PENDING) 80 | { 81 | DbgPrint("NtWriteFile(%x)\n", status); 82 | } 83 | 84 | ByteOffset.QuadPart = NewByteOffset; 85 | } 86 | } 87 | 88 | void NTAPI LogRoutine(PVOID DriverObject)ASM_FUNCTION; 89 | 90 | void LogRoutine() 91 | { 92 | CPP_FUNCTION; 93 | 94 | static LARGE_INTEGER Interval = { MAXULONG, -1 };//infinite 95 | 96 | DbgPrint("++LogRoutine()\n"); 97 | 98 | do 99 | { 100 | KeDelayExecutionThread(KernelMode, TRUE, &Interval); 101 | } while (!gExit); 102 | 103 | DbgPrint("--LogRoutine()\n"); 104 | 105 | IO_STATUS_BLOCK iosb; 106 | NtSetInformationFile(ghLog, &iosb, &ByteOffset, sizeof(ByteOffset), FileEndOfFileInformation); 107 | 108 | NtClose(ghLog); 109 | 110 | DbgPrint("{%x/%x %x/%x %x-%x}\n", 111 | gLookaside.L.TotalAllocates, gLookaside.L.TotalFrees, 112 | gLookaside.L.Depth, gLookaside.L.MaximumDepth, 113 | gLookaside.L.AllocateMisses, gLookaside.L.FreeMisses); 114 | 115 | ExDeleteNPagedLookasideList(&gLookaside); 116 | } 117 | 118 | NTSTATUS StartLogThread(PDRIVER_OBJECT DriverObject) 119 | { 120 | ObfReferenceObject(DriverObject); 121 | 122 | HANDLE hThread; 123 | NTSTATUS status = PsCreateSystemThread(&hThread, 0, 0, 0, 0, LogRoutine, DriverObject); 124 | 125 | if (0 <= status) 126 | { 127 | status = ObReferenceObjectByHandle(hThread, 0, *PsThreadType, KernelMode, (void**)&gLogThread, 0); 128 | 129 | NtClose(hThread); 130 | 131 | DbgPrint("gLogThread=%p\n", gLogThread); 132 | 133 | if (0 <= status) 134 | { 135 | return STATUS_SUCCESS; 136 | } 137 | 138 | gLogThread = 0; 139 | } 140 | 141 | ObfDereferenceObject(DriverObject); 142 | 143 | return status; 144 | } 145 | 146 | NTSTATUS CreateLogFile() 147 | { 148 | IO_STATUS_BLOCK iosb; 149 | UNICODE_STRING ObjectName; 150 | OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE }; 151 | RtlInitUnicodeString(&ObjectName, L"\\systemroot\\temp\\{A8467BE8-A379-459e-A853-39D76B1EBAAB}"); 152 | 153 | NTSTATUS status = NtCreateFile(&oa.RootDirectory, FILE_ADD_FILE, 154 | &oa, &iosb, 0, 0, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_DIRECTORY_FILE, 0, 0); 155 | 156 | if (0 <= status) 157 | { 158 | LARGE_INTEGER SystemTime; 159 | KeQuerySystemTime(&SystemTime); 160 | ExSystemTimeToLocalTime(&SystemTime, &SystemTime); 161 | TIME_FIELDS tf; 162 | RtlTimeToTimeFields(&SystemTime, &tf); 163 | 164 | WCHAR name[16]; 165 | swprintf_s(name, L"%02u.log", tf.Day); 166 | 167 | RtlInitUnicodeString(&ObjectName, name); 168 | 169 | if (0 <= (status = NtCreateFile(&ghLog, FILE_WRITE_DATA|FILE_READ_ATTRIBUTES, 170 | &oa, &iosb, 0, 0, FILE_SHARE_READ, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE, 0, 0))) 171 | { 172 | if (iosb.Information == FILE_OPENED) 173 | { 174 | union{ 175 | FILE_BASIC_INFORMATION fbi; 176 | FILE_STANDARD_INFORMATION fsi; 177 | }; 178 | 179 | if (0 <= NtQueryInformationFile(ghLog, &iosb, &fbi, sizeof(fbi), FileBasicInformation)) 180 | { 181 | // trancate file to 0 if older ~16 days 182 | if (SystemTime.QuadPart - fbi.LastWriteTime.QuadPart > 10000000LL*3600*24*16) 183 | { 184 | NtSetInformationFile(ghLog, &iosb, &eof, sizeof(eof), FileEndOfFileInformation); 185 | } 186 | } 187 | 188 | if (0 <= NtQueryInformationFile(ghLog, &iosb, &fsi, sizeof(fsi), FileStandardInformation)) 189 | { 190 | ByteOffset.QuadPart = fsi.EndOfFile.QuadPart; 191 | } 192 | } 193 | } 194 | 195 | NtClose(oa.RootDirectory); 196 | } 197 | 198 | return status; 199 | } 200 | 201 | NTSTATUS Create(PDRIVER_OBJECT DriverObject) 202 | { 203 | ExInitializeRundownProtection(&gRunRef); 204 | ExInitializeNPagedLookasideList(&gLookaside, 0, 0, 0, max_log_entry_size, '>..<', 0); 205 | 206 | NTSTATUS status = CreateLogFile(); 207 | 208 | if (0 <= status) 209 | { 210 | if (0 <= (status = StartLogThread(DriverObject))) 211 | { 212 | return STATUS_SUCCESS; 213 | } 214 | 215 | NtClose(ghLog); 216 | } 217 | 218 | ghLog = 0; 219 | 220 | ExDeleteNPagedLookasideList(&gLookaside); 221 | ExRundownCompleted(&gRunRef); 222 | 223 | return status; 224 | } 225 | 226 | void StopLog() 227 | { 228 | ExWaitForRundownProtectionRelease(&gRunRef); 229 | 230 | if (gLogThread) 231 | { 232 | DbgPrint("StopLog()\n"); 233 | 234 | gExit = TRUE; 235 | KeAlertThread(gLogThread, KernelMode); 236 | ObfDereferenceObject(gLogThread); 237 | } 238 | } 239 | 240 | void print(const char* format, ...) 241 | { 242 | va_list args; 243 | va_start(args, format); 244 | 245 | vDbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_INFO_LEVEL, format, args); 246 | 247 | if (ExAcquireRundownProtection(&gRunRef)) 248 | { 249 | if (PKAPC Apc = (PKAPC)ExAllocateFromNPagedLookasideList(&gLookaside)) 250 | { 251 | // we insert APC to own created thread, which already hold driver 252 | KeInitializeApc(Apc, gLogThread, OriginalApcEnvironment, 253 | KernelRoutine, 0, NormalRoutine, KernelMode, Apc); 254 | 255 | PSTR buf = (PSTR)(Apc + 1); 256 | 257 | int len = _vsnprintf_s(buf, max_log_entry_size - sizeof(KAPC), _TRUNCATE, format, args); 258 | 259 | if (0 < len) 260 | { 261 | if (KeInsertQueueApc(Apc, buf, (void*)(ULONG_PTR)len, IO_NO_INCREMENT)) 262 | { 263 | return ; 264 | // NormalRoutine 265 | // IoApcRoutine 266 | // ExFreeToNPagedLookasideList 267 | // ExReleaseRundownProtection 268 | } 269 | } 270 | 271 | ExFreeToNPagedLookasideList(&gLookaside, Apc); 272 | } 273 | 274 | ExReleaseRundownProtection(&gRunRef); 275 | } 276 | } 277 | }; 278 | 279 | _NT_END -------------------------------------------------------------------------------- /Klog/log.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace LogData 4 | { 5 | NTSTATUS Create(PDRIVER_OBJECT DriverObject); 6 | 7 | void StopLog(); // call Release in the end 8 | 9 | // IRQL <= DISPATCH_LEVEL 10 | // the Unicode format codes (%C, %S, %lc, %ls, %wc, %ws, and %wZ) can only be used with IRQL = PASSIVE_LEVEL. 11 | void print(const char* format, ...); 12 | }; -------------------------------------------------------------------------------- /MEM DUMP/.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | True 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /MEM DUMP/MemDump.cpp: -------------------------------------------------------------------------------- 1 | // MemDump.cpp : Defines the class behaviors for the application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "resource.h" 6 | 7 | _NT_BEGIN 8 | #include "../tkn/tkn.h" 9 | #include "../winz/app.h" 10 | #include "../winz/window.h" 11 | #include "../inc/rtlframe.h" 12 | extern const volatile UCHAR guz = 0; 13 | 14 | void FreePM(_In_ PRTL_PROCESS_MODULES mods); 15 | NTSTATUS QueryPM(_In_ HANDLE dwProcessId, _Out_ PRTL_PROCESS_MODULES* pmods); 16 | void InitWow64(); 17 | 18 | HANDLE g_hDrv; 19 | 20 | NTSTATUS DbgReadMemory(HANDLE ProcessHandle, PVOID BaseAddres, PVOID Buffer, SIZE_T BufferLength, PSIZE_T ReturnLength ) 21 | { 22 | SIZE_T cbCopy; 23 | 24 | if (!ReturnLength) 25 | { 26 | ReturnLength = &cbCopy; 27 | } 28 | 29 | *ReturnLength = BufferLength; 30 | 31 | if ((INT_PTR)BaseAddres < 0) 32 | { 33 | if (g_hDrv) 34 | { 35 | IO_STATUS_BLOCK iosb; 36 | NTSTATUS status = NtDeviceIoControlFile(g_hDrv, 0, 0, 0, &iosb, IOCTL_ReadMemory, &BaseAddres, sizeof(BaseAddres), Buffer, (DWORD)BufferLength); 37 | *ReturnLength = iosb.Information; 38 | return status; 39 | } 40 | else 41 | { 42 | *ReturnLength = 0; 43 | return STATUS_ACCESS_VIOLATION; 44 | } 45 | } 46 | else 47 | { 48 | return ZwReadVirtualMemory(ProcessHandle, BaseAddres, Buffer, BufferLength, ReturnLength); 49 | } 50 | } 51 | 52 | OBJECT_ATTRIBUTES zoa = {sizeof(zoa)}; 53 | 54 | NTSTATUS DoIoControl(ULONG code) 55 | { 56 | IO_STATUS_BLOCK iosb; 57 | return g_hDrv ? NtDeviceIoControlFile(g_hDrv, 0, 0, 0, &iosb, code, 0, 0, 0, 0) : STATUS_INVALID_HANDLE; 58 | } 59 | 60 | NTSTATUS MyOpenProcess(PHANDLE ProcessHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID Cid) 61 | { 62 | if (g_hDrv) 63 | { 64 | IO_STATUS_BLOCK iosb; 65 | NTSTATUS status = NtDeviceIoControlFile(g_hDrv, 0, 0, 0, &iosb, IOCTL_OpenProcess, &Cid->UniqueProcess, sizeof(HANDLE), 0, 0); 66 | *ProcessHandle = (HANDLE)iosb.Information; 67 | return status; 68 | } 69 | return NtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, Cid); 70 | } 71 | 72 | #define ComboBox_AddStringEx(hwndCtl, sz, Data) ComboBox_SetItemData(hwndCtl, ComboBox_AddString(hwndCtl, sz), Data) 73 | 74 | struct _SORTMODE 75 | { 76 | int mode; 77 | }; 78 | 79 | typedef RTL_FRAME<_SORTMODE> SORTMODE; 80 | 81 | int __cdecl KModCompare(PRTL_PROCESS_MODULE_INFORMATION& mod1, PRTL_PROCESS_MODULE_INFORMATION& mod2) 82 | { 83 | if (SORTMODE* prf = SORTMODE::get()) 84 | { 85 | switch(prf->mode) 86 | { 87 | case 0: 88 | if (mod1->ImageBase < mod2->ImageBase) return -1; 89 | if (mod1->ImageBase > mod2->ImageBase) return +1; 90 | return 0; 91 | case 1: return _stricmp( 92 | mod1->FullPathName + mod1->OffsetToFileName, 93 | mod2->FullPathName + mod2->OffsetToFileName); 94 | case -1: return _stricmp(mod1->FullPathName, mod2->FullPathName); 95 | default:__assume(false); 96 | } 97 | } 98 | 99 | return 0; 100 | } 101 | 102 | void OnDropdownComboDlls(HWND hwndDlg, HWND hwndCtl, HANDLE dwProcessId) 103 | { 104 | ComboBox_ResetContent(hwndCtl); 105 | 106 | COMBOBOXINFO cbi = { sizeof cbi }; 107 | 108 | if (!GetComboBoxInfo(hwndCtl, &cbi)) return ; 109 | 110 | PRTL_PROCESS_MODULES psmi; 111 | if (0 <= QueryPM(dwProcessId, &psmi)) 112 | { 113 | if (int Num = psmi->NumberOfModules) 114 | { 115 | PRTL_PROCESS_MODULE_INFORMATION csmi = psmi->Modules; 116 | 117 | int ksort = 3, i; 118 | do ; while(ksort && (IsDlgButtonChecked(hwndDlg, IDC_RADIO1 + --ksort) != BST_CHECKED)); 119 | 120 | PRTL_PROCESS_MODULE_INFORMATION* arr = (PRTL_PROCESS_MODULE_INFORMATION*)alloca(Num * sizeof PVOID); 121 | 122 | i = Num - 1; 123 | 124 | do arr[i] = csmi + i; while (i--); 125 | 126 | if (ksort < 2) 127 | { 128 | SORTMODE rf; 129 | rf.mode = -ksort; 130 | 131 | qsort(arr, Num, sizeof(PVOID), (int (__cdecl *)(const void *, const void *))KModCompare); 132 | } 133 | 134 | HDC hdc = ::GetDC(cbi.hwndList); 135 | HGDIOBJ o = (HGDIOBJ)::SendMessage(cbi.hwndList, WM_GETFONT, 0, 0); 136 | if (o) o = SelectObject(hdc, o); else o = (HGDIOBJ)-1; 137 | 138 | SIZE size; 139 | RECT rc; 140 | GetClientRect(cbi.hwndList, &rc); 141 | SCROLLINFO si = { sizeof si }; 142 | si.fMask = SIF_ALL; 143 | si.nPage = rc.right - rc.left; 144 | 145 | WCHAR sz[MAX_PATH + 32]; 146 | 147 | i = 0; 148 | do 149 | { 150 | csmi = arr[i]; 151 | 152 | swprintf(sz, L"[%p %p%c %c %c %S", 153 | csmi->ImageBase, (PBYTE)csmi->ImageBase + csmi->ImageSize, 154 | csmi->Flags & LDRP_IMAGE_NOT_AT_BASE ? L'[' : L')', 155 | csmi->LoadCount == MAXUSHORT ? L'@' : L'$', 156 | csmi->Flags & LDRP_STATIC_LINK ? L's' : L'd', 157 | csmi->FullPathName); 158 | 159 | GetTextExtentPoint32(hdc, sz, (int)wcslen(sz), &size); 160 | if (si.nMax < size.cx) si.nMax = size.cx; 161 | ComboBox_AddStringEx(hwndCtl, sz, csmi); 162 | 163 | } while(++i < Num); 164 | 165 | if (o != (HGDIOBJ)-1)SelectObject(hdc, o); 166 | 167 | ReleaseDC(cbi.hwndList, hdc); 168 | 169 | SendMessage(hwndCtl, CB_SETHORIZONTALEXTENT, si.nMax, 0); 170 | 171 | si.nMax += 16; 172 | SetScrollInfo(cbi.hwndList, SB_HORZ, &si, TRUE); 173 | } 174 | 175 | FreePM(psmi); 176 | } 177 | } 178 | 179 | #define FormatStatus(err, module, status) FormatMessage(\ 180 | FORMAT_MESSAGE_IGNORE_INSERTS|FORMAT_MESSAGE_FROM_HMODULE,\ 181 | GetModuleHandleW(L ## # module),status, 0, err, RTL_NUMBER_OF(err), 0) 182 | 183 | #define FormatWin32Status(err, status) FormatStatus(err, kernel32.dll, status) 184 | #define FormatNTStatus(err, status) FormatStatus(err, ntdll.dll, status) 185 | 186 | NTSTATUS DisplayStatus(HWND hwndDlg, NTSTATUS status, LPCWSTR sztext) 187 | { 188 | WCHAR err[MAX_PATH]; 189 | 190 | FormatNTStatus(err, status); 191 | 192 | ULONG mb; 193 | 194 | switch((ULONG)status >> 30) { 195 | case 0: mb = MB_OK; 196 | break; 197 | case 1: mb = MB_ICONINFORMATION; 198 | break; 199 | case 2: mb = MB_ICONWARNING; 200 | break; 201 | case 3: mb = MB_ICONHAND; 202 | break; 203 | default: __assume(false); 204 | } 205 | 206 | MessageBoxW(hwndDlg, err , sztext, mb); 207 | 208 | return status; 209 | } 210 | 211 | class CMemDumpDlg : public ZDlg 212 | { 213 | // Construction 214 | public: 215 | protected: 216 | protected: 217 | HANDLE m_hProcess; 218 | HANDLE m_dwProcessId; 219 | PVOID m_lpBuffer; 220 | SIZE_T m_cbBuffer, m_cbBufferData; 221 | 222 | NTSTATUS OnButtonCopy(HWND hwndDlg, NTSTATUS (* pfnReadData)(HANDLE, LPVOID, LPVOID, SIZE_T), HANDLE handle, LPVOID Base, SIZE_T Size); 223 | void OnDestroy(); 224 | BOOL OnInitDialog(HWND hwndDlg); 225 | HWND _GetData(HWND hwndDlg, PVOID* pBase, DWORD* pSize, BOOL* pbImage, DWORD* pcbFIleName); 226 | BOOL GetData(HWND hwndDlg, PVOID* pBase, DWORD* pSize, BOOL* pbImage, DWORD* pcbFIleName); 227 | 228 | static void OnDropdownComboProcess(HWND hwndDlg, SYSTEM_PROCESS_INFORMATION* sp); 229 | static void OnDropdownComboProcess(HWND hwndDlg); 230 | void OnCloseupComboProcess(HWND hwndDlg); 231 | void OnSelchangeComboProcess(HWND hwndDlg); 232 | void OnButtonFromModule(HWND hwndDlg); 233 | void OnButtonDump(HWND hwndDlg); 234 | void OnButtonEditImage(HWND hwndDlg); 235 | void OnButtonCopy(HWND hwndDlg); 236 | void OnButtonPaste(HWND hwndDlg); 237 | void OnButtonZero(HWND hwndDlg); 238 | void OnButtonFromFile(HWND hwndDlg); 239 | 240 | virtual INT_PTR DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) 241 | { 242 | switch (uMsg) 243 | { 244 | case WM_INITDIALOG: 245 | OnInitDialog(hwndDlg); 246 | break; 247 | case WM_DESTROY: 248 | OnDestroy(); 249 | break; 250 | case WM_COMMAND: 251 | switch (wParam) 252 | { 253 | case IDCANCEL: 254 | EndDialog(hwndDlg, 0); 255 | break; 256 | case MAKEWPARAM(IDC_COMBO2, CBN_SELCHANGE): 257 | OnSelchangeComboProcess(hwndDlg); 258 | break; 259 | case MAKEWPARAM(IDC_COMBO2, CBN_DROPDOWN): 260 | OnDropdownComboProcess(hwndDlg); 261 | break; 262 | case MAKEWPARAM(IDC_COMBO1, CBN_DROPDOWN): 263 | OnDropdownComboDlls(hwndDlg, (HWND)lParam, m_dwProcessId); 264 | break; 265 | case IDC_BUTTON1: OnButtonFromModule(hwndDlg); 266 | break; 267 | case IDC_BUTTON2: OnButtonDump(hwndDlg); 268 | break; 269 | case IDC_BUTTON3: OnButtonCopy(hwndDlg); 270 | break; 271 | case IDC_BUTTON4: OnButtonPaste(hwndDlg); 272 | break; 273 | case IDC_BUTTON5: OnButtonZero(hwndDlg); 274 | break; 275 | case IDC_BUTTON7: OnButtonFromFile(hwndDlg); 276 | break; 277 | } 278 | break; 279 | } 280 | return ZDlg::DialogProc(hwndDlg, uMsg, wParam, lParam); 281 | } 282 | }; 283 | 284 | ///////////////////////////////////////////////////////////////////////////// 285 | // CMemDumpDlg message handlers 286 | 287 | BOOL CMemDumpDlg::OnInitDialog(HWND hwndDlg) 288 | { 289 | m_hProcess = 0; 290 | m_dwProcessId = 0; 291 | m_cbBuffer = 0; 292 | m_cbBufferData = 0; 293 | 294 | ComboBox_SetMinVisible(::GetDlgItem(hwndDlg, IDC_COMBO1), 16); 295 | ComboBox_SetMinVisible(::GetDlgItem(hwndDlg, IDC_COMBO2), 16); 296 | CheckDlgButton(hwndDlg, IDC_RADIO3, BST_CHECKED); 297 | 298 | SendMessage(hwndDlg, WM_SETICON, ICON_BIG, (LPARAM)LoadImage((HINSTANCE)&__ImageBase, 299 | MAKEINTRESOURCE(IDR_MAINFRAME), IMAGE_ICON, 32, 32, LR_SHARED)); 300 | 301 | SendMessage(hwndDlg, WM_SETICON, ICON_SMALL, (LPARAM)LoadImage((HINSTANCE)&__ImageBase, 302 | MAKEINTRESOURCE(IDR_MAINFRAME), IMAGE_ICON, 16, 16, LR_SHARED)); 303 | return TRUE; // return TRUE unless you set the focus to a control 304 | } 305 | 306 | void CMemDumpDlg::OnDropdownComboProcess(HWND hwndDlg, SYSTEM_PROCESS_INFORMATION* sp) 307 | { 308 | HWND hwndCtl = ::GetDlgItem(hwndDlg, IDC_COMBO2); 309 | ComboBox_ResetContent(hwndCtl); 310 | COMBOBOXINFO cbi = { sizeof cbi }; 311 | 312 | if (!GetComboBoxInfo(hwndCtl, &cbi)) return ; 313 | 314 | ULONG cb = 0, rcb, NextEntryDelta = 0; 315 | 316 | HDC hdc = ::GetDC(cbi.hwndList); 317 | if (!hdc) return ; 318 | HGDIOBJ o = (HGDIOBJ)::SendMessage(cbi.hwndList, WM_GETFONT, 0, 0); 319 | if (o) o = SelectObject(hdc, o); else o = (HGDIOBJ)-1; 320 | 321 | SIZE size; 322 | RECT rc; 323 | ::GetClientRect(cbi.hwndList, &rc); 324 | SCROLLINFO si = { sizeof si }; 325 | si.fMask = SIF_ALL; 326 | si.nPage = rc.right - rc.left; 327 | 328 | PWSTR sz = 0; 329 | #ifdef _WIN64 330 | OBJECT_ATTRIBUTES oa = { sizeof oa }; 331 | CLIENT_ID cid = { }; 332 | #endif 333 | 334 | do 335 | { 336 | sp = (SYSTEM_PROCESS_INFORMATION*)RtlOffsetToPointer(sp, NextEntryDelta); 337 | if (sp->UniqueProcessId) 338 | { 339 | #ifdef _WIN64 340 | cid.UniqueProcess = (HANDLE)(ULONG_PTR)sp->UniqueProcessId; 341 | HANDLE hProcess; 342 | PVOID wow; 343 | WCHAR c = L'?'; 344 | 345 | if (0 <= NtOpenProcess(&hProcess, PROCESS_QUERY_LIMITED_INFORMATION, &oa, &cid)) 346 | { 347 | if (0 <= NtQueryInformationProcess(hProcess, ProcessWow64Information, &wow, sizeof(wow), 0)) 348 | { 349 | c = wow ? '*' : ' '; 350 | } 351 | 352 | NtClose(hProcess); 353 | } 354 | #else 355 | WCHAR c = L' '; 356 | #endif 357 | 358 | rcb = sp->ImageName.Length + 32; 359 | if (cb < rcb) sz = (LPWSTR)alloca(rcb - cb), cb = rcb; 360 | swprintf(sz, L"%4X(%4X) %2d %c %wZ", 361 | HandleToUlong(sp->UniqueProcessId), HandleToUlong(sp->InheritedFromUniqueProcessId), 362 | sp->NumberOfThreads, c, &sp->ImageName); 363 | GetTextExtentPoint32(hdc, sz, (int)wcslen(sz), &size); 364 | if (si.nMax < size.cx) si.nMax = size.cx; 365 | ComboBox_AddStringEx(hwndCtl, sz, sp->UniqueProcessId); 366 | } 367 | 368 | } while(NextEntryDelta = sp->NextEntryOffset); 369 | 370 | if (o != (HGDIOBJ)-1)SelectObject(hdc, o); 371 | 372 | ::ReleaseDC(cbi.hwndList, hdc); 373 | 374 | ::SendMessage(cbi.hwndList, LB_SETHORIZONTALEXTENT, si.nMax, 0); 375 | 376 | si.nMax += 16; 377 | ::SetScrollInfo(cbi.hwndList, SB_HORZ, &si, TRUE); 378 | } 379 | 380 | void CMemDumpDlg::OnDropdownComboProcess(HWND hwndDlg) 381 | { 382 | NTSTATUS status; 383 | DWORD rcb = 0x1000; 384 | do 385 | { 386 | if (SYSTEM_PROCESS_INFORMATION* sp = (SYSTEM_PROCESS_INFORMATION*)LocalAlloc(0, rcb += PAGE_SIZE)) 387 | { 388 | status = NtQuerySystemInformation(SystemProcessInformation, sp, rcb, &rcb); 389 | 390 | if (0 <= status) 391 | { 392 | OnDropdownComboProcess(hwndDlg, sp); 393 | } 394 | 395 | LocalFree(sp); 396 | } 397 | else 398 | { 399 | break; 400 | } 401 | } while(status == STATUS_INFO_LENGTH_MISMATCH); 402 | } 403 | 404 | void CMemDumpDlg::OnSelchangeComboProcess(HWND hwndDlg) 405 | { 406 | HWND hwndCtl = ::GetDlgItem(hwndDlg, IDC_COMBO2); 407 | int i; 408 | HANDLE dwProcessId = (HANDLE)(((i = ComboBox_GetCurSel(hwndCtl)) == CB_ERR) 409 | ? 0 : ComboBox_GetItemData(hwndCtl, i)); 410 | 411 | if (m_dwProcessId != dwProcessId) { 412 | 413 | m_dwProcessId = dwProcessId; 414 | 415 | if (m_hProcess) NtClose(m_hProcess); 416 | 417 | m_hProcess = 0; 418 | 419 | if (dwProcessId) 420 | { 421 | CLIENT_ID cid = {dwProcessId}; 422 | MyOpenProcess(&m_hProcess, PROCESS_ALL_ACCESS, &zoa, &cid); 423 | } 424 | 425 | ComboBox_ResetContent(::GetDlgItem(hwndDlg, IDC_COMBO1)); 426 | } 427 | } 428 | 429 | void CMemDumpDlg::OnDestroy() 430 | { 431 | if (m_cbBuffer) ZwFreeVirtualMemory(NtCurrentProcess(), &m_lpBuffer, &m_cbBuffer, MEM_RELEASE); 432 | if (m_hProcess) NtClose(m_hProcess); 433 | } 434 | 435 | void CMemDumpDlg::OnButtonFromModule(HWND hwndDlg) 436 | { 437 | HWND hwndCtl = ::GetDlgItem(hwndDlg, IDC_COMBO1); 438 | 439 | int i = ComboBox_GetCurSel(hwndCtl ); 440 | if (i == CB_ERR) return ; 441 | 442 | RTL_PROCESS_MODULE_INFORMATION* smi = (RTL_PROCESS_MODULE_INFORMATION*)ComboBox_GetItemData(hwndCtl, i); 443 | 444 | if (!smi) return ; 445 | 446 | CheckDlgButton(hwndDlg, IDC_CHECK1, BST_CHECKED); 447 | 448 | TCHAR sz[17]; 449 | 450 | swprintf(sz, L"%p", smi->ImageBase); 451 | SetDlgItemText(hwndDlg, IDC_EDIT1,sz); 452 | 453 | swprintf(sz, L"%X", smi->ImageSize); 454 | SetDlgItemText(hwndDlg, IDC_EDIT2, sz); 455 | } 456 | 457 | DWORD ImageToLine(PVOID Base, PVOID ImageBase, DWORD SizeOfImage) 458 | { 459 | if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(ImageBase)) 460 | { 461 | if (pinth->OptionalHeader.SizeOfImage > SizeOfImage) return 0; 462 | 463 | pinth->OptionalHeader.ImageBase = (ULONG_PTR)Base; 464 | 465 | DWORD s; 466 | if (PIMAGE_IMPORT_DESCRIPTOR piid = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData(ImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &s)) 467 | { 468 | while (piid->Name) 469 | { 470 | if (ULONG OriginalFirstThunk = piid->OriginalFirstThunk) 471 | { 472 | if (ULONG FirstThunk = piid->FirstThunk) 473 | { 474 | union { 475 | DWORD d; 476 | ULONGLONG u; 477 | }; 478 | union { 479 | PVOID pv; 480 | PDWORD pd; 481 | PULONGLONG pu; 482 | }; 483 | union { 484 | PVOID qv; 485 | PDWORD qd; 486 | PULONGLONG qu; 487 | }; 488 | 489 | pv = RtlOffsetToPointer(ImageBase, OriginalFirstThunk), 490 | qv = RtlOffsetToPointer(ImageBase, FirstThunk); 491 | 492 | switch (pinth->OptionalHeader.Magic) 493 | { 494 | case IMAGE_NT_OPTIONAL_HDR32_MAGIC: 495 | do 496 | { 497 | d = *pd++, *qd++ = d; 498 | } while (d); 499 | break; 500 | case IMAGE_NT_OPTIONAL_HDR64_MAGIC: 501 | do 502 | { 503 | u = *pu++, *qu++ = d; 504 | } while (u); 505 | break; 506 | } 507 | } 508 | } 509 | piid++; 510 | } 511 | } 512 | 513 | if (DWORD NumberOfSections = pinth->FileHeader.NumberOfSections) 514 | { 515 | PCHAR pb = RtlOffsetToPointer(ImageBase, pinth->OptionalHeader.SizeOfHeaders); 516 | 517 | PIMAGE_SECTION_HEADER pish = IMAGE_FIRST_SECTION(pinth); 518 | 519 | do 520 | { 521 | DWORD SizeOfRawData = pish->SizeOfRawData, VirtualSize = pish->Misc.VirtualSize, 522 | VirtualAddress = pish->VirtualAddress, PointerToRawData = pish->PointerToRawData; 523 | 524 | if ( 525 | VirtualAddress <= VirtualAddress + VirtualSize && VirtualAddress + VirtualSize <= SizeOfImage && 526 | PointerToRawData <= PointerToRawData + SizeOfRawData && PointerToRawData + SizeOfRawData <= SizeOfImage 527 | ) 528 | { 529 | if (SizeOfRawData) 530 | { 531 | PCHAR pbRawData = RtlOffsetToPointer(ImageBase, PointerToRawData); 532 | 533 | if (pb > pbRawData) 534 | { 535 | return 0; 536 | } 537 | 538 | memcpy(pbRawData, RtlOffsetToPointer(ImageBase, VirtualAddress), min(SizeOfRawData, VirtualSize)); 539 | 540 | if (VirtualSize < SizeOfRawData) 541 | { 542 | RtlZeroMemory(pbRawData+VirtualSize, SizeOfRawData - VirtualSize); 543 | } 544 | 545 | pb += SizeOfRawData; 546 | } 547 | } 548 | else 549 | { 550 | return 0; 551 | } 552 | 553 | } while (pish++, --NumberOfSections); 554 | 555 | return RtlPointerToOffset(ImageBase, pb); 556 | } 557 | else 558 | { 559 | return FALSE; 560 | } 561 | } 562 | else 563 | { 564 | return 0; 565 | } 566 | } 567 | 568 | NTSTATUS ReadDataFromMemory(HANDLE hProcess, LPVOID Base, LPVOID lpBuffer, SIZE_T cbBuffer) 569 | { 570 | return DbgReadMemory(hProcess, Base, lpBuffer, cbBuffer, 0); 571 | } 572 | 573 | NTSTATUS ReadDataFromFile(HANDLE hFile, LPVOID , LPVOID lpBuffer, SIZE_T cbBuffer) 574 | { 575 | IO_STATUS_BLOCK iosb; 576 | LARGE_INTEGER li = {}; 577 | return ZwReadFile(hFile, 0, 0, 0, &iosb, lpBuffer, (DWORD)cbBuffer, &li, 0); 578 | } 579 | 580 | NTSTATUS CMemDumpDlg::OnButtonCopy(HWND hwndDlg, NTSTATUS (* pfnReadData)(HANDLE, LPVOID, LPVOID, SIZE_T), HANDLE handle, LPVOID Base, SIZE_T Size) 581 | { 582 | LPVOID BaseAddress = m_lpBuffer; 583 | SIZE_T RegionSize = m_cbBuffer; 584 | 585 | NTSTATUS status = 0; 586 | 587 | if (m_cbBuffer < Size) 588 | { 589 | if (m_cbBuffer) ZwFreeVirtualMemory(NtCurrentProcess(), &m_lpBuffer, 590 | &m_cbBuffer, MEM_RELEASE), m_cbBuffer = 0; 591 | 592 | status = ZwAllocateVirtualMemory(NtCurrentProcess(), &(BaseAddress = 0), 0, 593 | &(RegionSize = Size), MEM_COMMIT, PAGE_READWRITE); 594 | } 595 | 596 | if (0 <= status) 597 | { 598 | status = pfnReadData(handle, Base, BaseAddress, Size); 599 | if (0 <= status) { 600 | if (m_cbBuffer < Size) m_lpBuffer = BaseAddress, m_cbBuffer = RegionSize; 601 | m_cbBufferData = Size; 602 | } 603 | else ZwFreeVirtualMemory(NtCurrentProcess(), &BaseAddress, &RegionSize, MEM_RELEASE); 604 | } 605 | 606 | WCHAR sz[17]; 607 | swprintf(sz, L"%X", (ULONG)m_cbBufferData); 608 | SetDlgItemText(hwndDlg, IDC_STATIC1, sz); 609 | 610 | return status; 611 | } 612 | 613 | void CMemDumpDlg::OnButtonCopy(HWND hwndDlg) 614 | { 615 | LPVOID Base; 616 | DWORD Size; 617 | 618 | if (!GetData(hwndDlg, &Base, &Size, 0, 0)) return; 619 | 620 | NTSTATUS status = OnButtonCopy(hwndDlg, ReadDataFromMemory, m_hProcess, Base, Size); 621 | 622 | 0 > status ? DisplayStatus(hwndDlg, status, L"Copy Failed") : MessageBox(hwndDlg, L"Copy Ok!", L"", 0); 623 | } 624 | 625 | NTSTATUS WriteToProcessMemory(HANDLE hProcess, LPVOID RemoteBase, SIZE_T Size, LPVOID LocaleBase) 626 | { 627 | LPVOID _RemoteBase = RemoteBase; 628 | SIZE_T _Size = Size; 629 | 630 | DWORD OldProtect; 631 | NTSTATUS status = ZwProtectVirtualMemory(hProcess, &_RemoteBase, &_Size, 632 | PAGE_READWRITE, &OldProtect); 633 | 634 | if (0 > status) return status; 635 | 636 | status = ZwWriteVirtualMemory(hProcess, RemoteBase, LocaleBase, Size, 0); 637 | ZwProtectVirtualMemory(hProcess, &_RemoteBase, &_Size, OldProtect, &OldProtect); 638 | 639 | return status; 640 | } 641 | 642 | void CMemDumpDlg::OnButtonPaste(HWND hwndDlg) 643 | { 644 | LPVOID Base; 645 | DWORD Size; 646 | if (!GetData(hwndDlg, &Base, &Size, 0, 0)) return; 647 | 648 | NTSTATUS status = Size > m_cbBufferData ? STATUS_BUFFER_TOO_SMALL : 649 | WriteToProcessMemory(m_hProcess, Base, Size, m_lpBuffer); 650 | 651 | 0 > status ? DisplayStatus(hwndDlg, status, L"Paste Failed") : MessageBox(hwndDlg, L"Paste Ok!", L"", 0); 652 | } 653 | 654 | void CMemDumpDlg::OnButtonZero(HWND hwndDlg) 655 | { 656 | PVOID Base, BaseAddress; 657 | SIZE_T RegionSize; 658 | DWORD Size; 659 | 660 | if (!GetData(hwndDlg, &Base, &Size, 0, 0)) return; 661 | 662 | NTSTATUS status = ZwAllocateVirtualMemory(NtCurrentProcess(), &(BaseAddress = 0), 0, 663 | &(RegionSize = Size), MEM_COMMIT, PAGE_READWRITE); 664 | 665 | if (0 <= status) 666 | { 667 | status = WriteToProcessMemory(m_hProcess, Base, Size, BaseAddress); 668 | ZwFreeVirtualMemory(NtCurrentProcess(), &BaseAddress, &RegionSize, MEM_RELEASE); 669 | } 670 | 671 | 0 > status ? DisplayStatus(hwndDlg, status, L"Zero Memory Failed") : MessageBox(hwndDlg, L"Memory Zeroed!", L"", 0); 672 | } 673 | 674 | void CMemDumpDlg::OnButtonFromFile(HWND hwndDlg) 675 | { 676 | DWORD len; 677 | 678 | if (!GetData(hwndDlg, 0, 0, 0, &len)) return; 679 | 680 | LPWSTR fileName = (PWSTR)alloca(len << 1); 681 | GetDlgItemText(hwndDlg, IDC_EDIT4, fileName, len); 682 | 683 | UNICODE_STRING ntPath; 684 | NTSTATUS status = STATUS_UNSUCCESSFUL; 685 | if (RtlDosPathNameToNtPathName_U(fileName, &ntPath, 0, 0)) 686 | { 687 | HANDLE hFile; 688 | IO_STATUS_BLOCK iosb; 689 | 690 | status = ZwOpenFile(&hFile, FILE_GENERIC_READ, 691 | &CObjectAttributes(&ntPath), &iosb, FILE_SHARE_READ, 692 | FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT); 693 | 694 | if (0 <= status) 695 | { 696 | FILE_STANDARD_INFORMATION fsi; 697 | status = ZwQueryInformationFile(hFile, &iosb, &fsi, sizeof fsi, 698 | FileStandardInformation); 699 | 700 | if (0 <= status) 701 | { 702 | if (fsi.EndOfFile.HighPart) status = STATUS_BUFFER_OVERFLOW; 703 | else if (!fsi.EndOfFile.LowPart) status = STATUS_MAPPED_FILE_SIZE_ZERO; 704 | else status = OnButtonCopy(hwndDlg, ReadDataFromFile, hFile, 0, fsi.EndOfFile.LowPart); 705 | } 706 | NtClose(hFile); 707 | } 708 | RtlFreeUnicodeString(&ntPath); 709 | } 710 | 711 | 0 > status ? DisplayStatus(hwndDlg, status, L"Copy Failed") : MessageBox(hwndDlg, L"Copy Ok!", L"", 0); 712 | } 713 | 714 | BOOL CMemDumpDlg::GetData(HWND hwndDlg, LPVOID* pBase, DWORD* pSize, BOOL* pbImage, DWORD* pcbFIleName) 715 | { 716 | HWND hwnd = _GetData(hwndDlg, pBase, pSize, pbImage, pcbFIleName); 717 | if (!hwnd) return TRUE; 718 | ::SetFocus(hwnd); 719 | MessageBeep((UINT)-1); 720 | return FALSE; 721 | } 722 | 723 | #ifdef _WIN64 724 | #define uptoul _wcstoui64 725 | #else 726 | #define uptoul wcstoul 727 | #endif 728 | 729 | HWND CMemDumpDlg::_GetData(HWND hwndDlg, PVOID* pBase, DWORD* pSize, BOOL* pbImage, DWORD* pcbFIleName) 730 | { 731 | WCHAR sz[18], *c; 732 | 733 | if (pBase) 734 | { 735 | ULONGLONG Base; 736 | if (!GetDlgItemText(hwndDlg, IDC_EDIT1, sz, 17) || !(Base = uptoul(sz, &c, 16)) || *c) 737 | { 738 | return ::GetDlgItem(hwndDlg, IDC_EDIT1); 739 | } 740 | *pBase = (PVOID)Base; 741 | } 742 | 743 | if (pSize) 744 | { 745 | DWORD Size; 746 | if (!GetDlgItemText(hwndDlg, IDC_EDIT2, sz, 9) || !(Size = wcstoul(sz, &c, 16)) || *c) 747 | { 748 | return ::GetDlgItem(hwndDlg, IDC_EDIT2); 749 | } 750 | *pSize = Size; 751 | } 752 | 753 | if (pcbFIleName) 754 | { 755 | HWND hwnd = ::GetDlgItem(hwndDlg, IDC_EDIT4); 756 | DWORD cbFIleName = ::GetWindowTextLengthW(hwnd); 757 | if (!cbFIleName) return hwnd; 758 | *pcbFIleName = cbFIleName + 1; 759 | } 760 | 761 | if (pbImage) *pbImage = (BST_CHECKED == IsDlgButtonChecked(hwndDlg, IDC_CHECK1)); 762 | 763 | return 0; 764 | } 765 | 766 | void CMemDumpDlg::OnButtonDump(HWND hwndDlg) 767 | { 768 | PVOID Base, BaseAddress; 769 | SIZE_T RegionSize; 770 | DWORD len, Size; 771 | BOOL bImage; 772 | 773 | if (!GetData(hwndDlg, &Base, &Size, &bImage, &len)) return; 774 | 775 | LPWSTR fileName = (PWSTR)alloca(len << 1); 776 | GetDlgItemText(hwndDlg, IDC_EDIT4, fileName, len); 777 | 778 | NTSTATUS status = ZwAllocateVirtualMemory(NtCurrentProcess(), &(BaseAddress = 0), 0, 779 | &(RegionSize = Size), MEM_COMMIT, PAGE_READWRITE); 780 | 781 | if (0 <= status) 782 | { 783 | if (0 <= (status = DbgReadMemory(m_hProcess, Base, BaseAddress, Size, 0))) 784 | { 785 | LARGE_INTEGER li; 786 | li.QuadPart = Size; 787 | 788 | if (bImage) 789 | { 790 | if (!(Size = ImageToLine(Base, BaseAddress, Size))) 791 | { 792 | status = STATUS_INVALID_IMAGE_NOT_MZ; 793 | } 794 | } 795 | 796 | if ((0 <= status) && (0x1000000 < li.QuadPart)) 797 | { 798 | WCHAR sz[32]; 799 | swprintf(sz, L"FileSize = %I64d", li.QuadPart); 800 | if (IDYES != MessageBoxW(hwndDlg, sz, L"File To Large. Are You Sure ?", 801 | MB_YESNOCANCEL|MB_ICONQUESTION)) status = STATUS_CANCELLED; 802 | } 803 | 804 | if (0 <= status) 805 | { 806 | UNICODE_STRING ntPath; 807 | if (RtlDosPathNameToNtPathName_U(fileName, &ntPath, 0, 0)) 808 | { 809 | HANDLE hFile; 810 | IO_STATUS_BLOCK iosb; 811 | if (0 <= ZwCreateFile(&hFile, FILE_GENERIC_WRITE, 812 | &CObjectAttributes(&ntPath), &iosb, &li, 0, 0, 813 | FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE| 814 | FILE_SYNCHRONOUS_IO_NONALERT, 0, 0)) 815 | { 816 | status = ZwWriteFile(hFile, 0, 0, 0, &iosb, BaseAddress, (ULONG)Size, 0, 0); 817 | 818 | if (0 > status) 819 | { 820 | FILE_DISPOSITION_INFORMATION fdi; 821 | fdi.DeleteFile = TRUE; 822 | ZwSetInformationFile(hFile, &iosb, &fdi, sizeof fdi, 823 | FileDispositionInformation); 824 | } 825 | NtClose(hFile); 826 | } 827 | RtlFreeUnicodeString(&ntPath); 828 | } 829 | else status = STATUS_UNSUCCESSFUL; 830 | } 831 | } 832 | ZwFreeVirtualMemory(NtCurrentProcess(), &BaseAddress, &RegionSize, MEM_RELEASE); 833 | } 834 | 835 | 0 > status ? DisplayStatus(hwndDlg, status, L"Save Memory Failed") : MessageBox(hwndDlg, L"Dump Created!", L"", 0); 836 | } 837 | 838 | #define MAX_DESTRUCTOR_COUNT 8 839 | 840 | #include "../inc/initterm.h" 841 | 842 | NTSTATUS AdjustPrivileges() 843 | { 844 | HANDLE hToken; 845 | NTSTATUS status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); 846 | if (0 <= status) 847 | { 848 | BEGIN_PRIVILEGES(tp, 2) 849 | LAA(SE_DEBUG_PRIVILEGE), 850 | LAA(SE_LOAD_DRIVER_PRIVILEGE) 851 | END_PRIVILEGES 852 | status = NtAdjustPrivilegesToken(hToken, FALSE, (PTOKEN_PRIVILEGES)&tp, 0, 0, 0); 853 | NtClose(hToken); 854 | } 855 | return status; 856 | } 857 | 858 | void ep(void*) 859 | { 860 | #ifndef _WIN64 861 | PVOID wow; 862 | if (0 > NtQueryInformationProcess(NtCurrentProcess(), ProcessWow64Information, &wow, sizeof(wow), 0) || wow) 863 | { 864 | MessageBox(0, L"The 32-bit version of this program is not compatible with the 64-bit Windows you're running.", 865 | L"Machine Type Mismatch", MB_ICONWARNING); 866 | ExitProcess(0); 867 | } 868 | #else 869 | InitWow64(); 870 | #endif 871 | 872 | if (NTSTATUS status = AdjustPrivileges()) 873 | { 874 | DisplayStatus(0, status, L"AdjustPrivilege"); 875 | } 876 | 877 | STATIC_UNICODE_STRING(tkn, "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\{FC81D8A3-6002-44bf-931A-352B95C4522F}"); 878 | 879 | switch (ZwLoadDriver((PUNICODE_STRING)&tkn)) 880 | { 881 | case 0: 882 | case STATUS_IMAGE_ALREADY_LOADED: 883 | IO_STATUS_BLOCK iosb; 884 | STATIC_OBJECT_ATTRIBUTES(oa, "\\device\\69766781178D422cA183775611A8EE55"); 885 | ZwOpenFile(&g_hDrv, SYNCHRONIZE, &oa, &iosb, FILE_SHARE_VALID_FLAGS, FILE_SYNCHRONOUS_IO_NONALERT); 886 | break; 887 | } 888 | 889 | initterm(); 890 | 891 | { 892 | CMemDumpDlg dlg; 893 | dlg.DoModal((HINSTANCE)&__ImageBase, MAKEINTRESOURCE(IDD_DIALOG1), HWND_DESKTOP, 0); 894 | } 895 | 896 | destroyterm(); 897 | 898 | if (g_hDrv) 899 | { 900 | NtClose(g_hDrv); 901 | } 902 | 903 | ExitProcess(0); 904 | } 905 | 906 | _NT_END 907 | -------------------------------------------------------------------------------- /MEM DUMP/MemDump.rc: -------------------------------------------------------------------------------- 1 | // Microsoft Visual C++ generated resource script. 2 | // 3 | #include "resource.h" 4 | 5 | #define APSTUDIO_READONLY_SYMBOLS 6 | ///////////////////////////////////////////////////////////////////////////// 7 | // 8 | // Generated from the TEXTINCLUDE 2 resource. 9 | // 10 | #include "winres.h" 11 | 12 | ///////////////////////////////////////////////////////////////////////////// 13 | #undef APSTUDIO_READONLY_SYMBOLS 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | // English (U.S.) resources 17 | 18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) 19 | #ifdef _WIN32 20 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 21 | #pragma code_page(1252) 22 | #endif //_WIN32 23 | 24 | #ifdef APSTUDIO_INVOKED 25 | ///////////////////////////////////////////////////////////////////////////// 26 | // 27 | // TEXTINCLUDE 28 | // 29 | 30 | 1 TEXTINCLUDE 31 | BEGIN 32 | "resource.h\0" 33 | END 34 | 35 | 2 TEXTINCLUDE 36 | BEGIN 37 | "#include ""afxres.h""\r\n" 38 | "\0" 39 | END 40 | 41 | 3 TEXTINCLUDE 42 | BEGIN 43 | "#define _AFX_NO_SPLITTER_RESOURCES\r\n" 44 | "#define _AFX_NO_OLE_RESOURCES\r\n" 45 | "#define _AFX_NO_TRACKER_RESOURCES\r\n" 46 | "#define _AFX_NO_PROPERTY_RESOURCES\r\n" 47 | "\r\n" 48 | "#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)\r\n" 49 | "#ifdef _WIN32\r\n" 50 | "LANGUAGE 9, 1\r\n" 51 | "#pragma code_page(1252)\r\n" 52 | "#endif //_WIN32\r\n" 53 | "#include ""res\\MemDump.rc2"" // non-Microsoft Visual C++ edited resources\r\n" 54 | "#endif\r\n" 55 | "\0" 56 | END 57 | 58 | #endif // APSTUDIO_INVOKED 59 | 60 | 61 | ///////////////////////////////////////////////////////////////////////////// 62 | // 63 | // Icon 64 | // 65 | 66 | // Icon with lowest ID value placed first to ensure application icon 67 | // remains consistent on all systems. 68 | IDR_MAINFRAME ICON "Mem.ico" 69 | 70 | ///////////////////////////////////////////////////////////////////////////// 71 | // 72 | // Version 73 | // 74 | 75 | VS_VERSION_INFO VERSIONINFO 76 | FILEVERSION 1,0,0,1 77 | PRODUCTVERSION 1,0,0,1 78 | FILEFLAGSMASK 0x3fL 79 | #ifdef _DEBUG 80 | FILEFLAGS 0x1L 81 | #else 82 | FILEFLAGS 0x0L 83 | #endif 84 | FILEOS 0x4L 85 | FILETYPE 0x1L 86 | FILESUBTYPE 0x0L 87 | BEGIN 88 | BLOCK "StringFileInfo" 89 | BEGIN 90 | BLOCK "040904B0" 91 | BEGIN 92 | VALUE "FileDescription", "MemDump MFC Application" 93 | VALUE "FileVersion", "1, 0, 0, 1" 94 | VALUE "InternalName", "MemDump" 95 | VALUE "LegalCopyright", "Copyright (C) 2006" 96 | VALUE "OriginalFilename", "MemDump.EXE" 97 | VALUE "ProductName", "MemDump Application" 98 | VALUE "ProductVersion", "1, 0, 0, 1" 99 | END 100 | END 101 | BLOCK "VarFileInfo" 102 | BEGIN 103 | VALUE "Translation", 0x409, 1200 104 | END 105 | END 106 | 107 | 108 | ///////////////////////////////////////////////////////////////////////////// 109 | // 110 | // DESIGNINFO 111 | // 112 | 113 | #ifdef APSTUDIO_INVOKED 114 | GUIDELINES DESIGNINFO 115 | BEGIN 116 | IDD_DIALOG1, DIALOG 117 | BEGIN 118 | LEFTMARGIN, 7 119 | RIGHTMARGIN, 354 120 | TOPMARGIN, 4 121 | BOTTOMMARGIN, 77 122 | END 123 | 124 | IDD_DIALOG2, DIALOG 125 | BEGIN 126 | LEFTMARGIN, 7 127 | RIGHTMARGIN, 269 128 | TOPMARGIN, 7 129 | BOTTOMMARGIN, 122 130 | END 131 | END 132 | #endif // APSTUDIO_INVOKED 133 | 134 | 135 | ///////////////////////////////////////////////////////////////////////////// 136 | // 137 | // Dialog 138 | // 139 | 140 | IDD_DIALOG1 DIALOGEX 0, 0, 361, 84 141 | STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU 142 | CAPTION "Dump Process Memory " 143 | FONT 10, "Courier New", 0, 0, 0x1 144 | BEGIN 145 | COMBOBOX IDC_COMBO1,27,27,327,77,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP 146 | CTEXT "Base",IDC_STATIC,7,48,19,10,SS_CENTERIMAGE 147 | CTEXT "Size",IDC_STATIC,100,48,17,10,SS_CENTERIMAGE 148 | EDITTEXT IDC_EDIT1,30,46,68,14,ES_UPPERCASE | NOT WS_BORDER,WS_EX_CLIENTEDGE 149 | EDITTEXT IDC_EDIT2,118,46,36,14,ES_UPPERCASE | NOT WS_BORDER,WS_EX_CLIENTEDGE 150 | LTEXT "FileName",IDC_STATIC,7,65,33,8 151 | EDITTEXT IDC_EDIT4,42,63,268,14,ES_AUTOHSCROLL 152 | PUSHBUTTON "From Module",IDC_BUTTON1,157,45,50,14 153 | PUSHBUTTON "Save",IDC_BUTTON2,332,45,22,14 154 | CONTROL "Image",IDC_CHECK1,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,195,13,30,10 155 | COMBOBOX IDC_COMBO2,46,11,143,70,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP 156 | LTEXT "Processes",IDC_STATIC,8,13,37,8 157 | LTEXT "DLLs",IDC_STATIC,7,29,17,8 158 | CONTROL "Address",IDC_RADIO1,"Button",BS_AUTORADIOBUTTON | WS_GROUP,237,14,44,10 159 | CONTROL "Name",IDC_RADIO2,"Button",BS_AUTORADIOBUTTON,283,14,32,10 160 | CONTROL "Order",IDC_RADIO3,"Button",BS_AUTORADIOBUTTON,318,14,36,10 161 | GROUPBOX "Sort by",IDC_STATIC,227,4,127,21 162 | PUSHBUTTON "copy",IDC_BUTTON3,262,45,21,14 163 | PUSHBUTTON "Paste",IDC_BUTTON4,284,45,24,14 164 | PUSHBUTTON "Zero",IDC_BUTTON5,309,45,22,14 165 | PUSHBUTTON "Copy From",IDC_BUTTON7,313,63,41,14 166 | LTEXT "0",IDC_STATIC1,210,48,49,8 167 | END 168 | 169 | 170 | #endif // English (U.S.) resources 171 | ///////////////////////////////////////////////////////////////////////////// 172 | 173 | 174 | 175 | #ifndef APSTUDIO_INVOKED 176 | ///////////////////////////////////////////////////////////////////////////// 177 | // 178 | // Generated from the TEXTINCLUDE 3 resource. 179 | // 180 | #define _AFX_NO_SPLITTER_RESOURCES 181 | #define _AFX_NO_OLE_RESOURCES 182 | #define _AFX_NO_TRACKER_RESOURCES 183 | #define _AFX_NO_PROPERTY_RESOURCES 184 | 185 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) 186 | #ifdef _WIN32 187 | LANGUAGE 9, 1 188 | #pragma code_page(1252) 189 | #endif //_WIN32 190 | #include "MemDump.rc2" // non-Microsoft Visual C++ edited resources 191 | #endif 192 | 193 | ///////////////////////////////////////////////////////////////////////////// 194 | #endif // not APSTUDIO_INVOKED 195 | 196 | -------------------------------------------------------------------------------- /MEM DUMP/MemDump.rc2: -------------------------------------------------------------------------------- 1 | // 2 | // MEMDUMP.RC2 - resources Microsoft Visual C++ does not edit directly 3 | // 4 | 5 | #ifdef APSTUDIO_INVOKED 6 | #error this file is not editable by Microsoft Visual C++ 7 | #endif //APSTUDIO_INVOKED 8 | 9 | LANGUAGE 0,0 10 | 11 | 1 RT_MANIFEST ".manifest" 12 | ///////////////////////////////////////////////////////////////////////////// 13 | // Add manually edited resources here... 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | -------------------------------------------------------------------------------- /MEM DUMP/StdAfx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // MemDump.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | 8 | -------------------------------------------------------------------------------- /MEM DUMP/StdAfx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #include "../inc/StdAfx.h" 7 | 8 | #include 9 | #include 10 | 11 | 12 | //{{AFX_INSERT_LOCATION}} 13 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 14 | 15 | -------------------------------------------------------------------------------- /MEM DUMP/cfg.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | _NT_BEGIN 4 | 5 | NTSTATUS 6 | GetProcessMitigationPolicy( 7 | _In_ HANDLE hProcess, 8 | _In_ PROCESS_MITIGATION_POLICY MitigationPolicy, 9 | _Out_writes_bytes_(ULONG) PVOID lpBuffer 10 | ) 11 | { 12 | struct PROCESS_MITIGATION { 13 | PROCESS_MITIGATION_POLICY Policy; 14 | ULONG Flags; 15 | }; 16 | 17 | PROCESS_MITIGATION m = { MitigationPolicy }; 18 | NTSTATUS status = NtQueryInformationProcess(hProcess, ProcessMitigationPolicy, &m, sizeof(m), 0); 19 | if (0 <= status) 20 | { 21 | *(PULONG)lpBuffer = m.Flags; 22 | return STATUS_SUCCESS; 23 | } 24 | 25 | return status; 26 | } 27 | 28 | BOOLEAN IsExportSuppressionEnabled(HANDLE hProcess) 29 | { 30 | PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY cfg; 31 | 32 | return 0 <= GetProcessMitigationPolicy(hProcess, ProcessControlFlowGuardPolicy, &cfg) && 33 | cfg.EnableControlFlowGuard && cfg.EnableExportSuppression; 34 | } 35 | 36 | BOOL WINAPI SetProcessValidCallTargetsNotImpl( 37 | _In_ HANDLE /*hProcess*/, 38 | _In_ PVOID /*VirtualAddress*/, 39 | _In_ SIZE_T /*RegionSize*/, 40 | _In_ ULONG /*NumberOfOffsets*/, 41 | _Inout_updates_(NumberOfOffsets) PCFG_CALL_TARGET_INFO /*OffsetInformation*/ 42 | ) 43 | { 44 | RtlNtStatusToDosError(STATUS_NOT_IMPLEMENTED); 45 | return FALSE; 46 | } 47 | 48 | EXTERN_C { 49 | extern PVOID __imp_SetProcessValidCallTargets; 50 | } 51 | 52 | #ifdef _X86_ 53 | #pragma comment(linker, "/alternatename:__imp__SetProcessValidCallTargets@20=___imp_SetProcessValidCallTargets") 54 | #pragma comment(linker, "/include:___imp_SetProcessValidCallTargets") 55 | #else 56 | #pragma comment(linker, "/include:__imp_SetProcessValidCallTargets") 57 | #endif 58 | 59 | BOOL WINAPI SetProcessValidCallTargetsTemp( 60 | _In_ HANDLE hProcess, 61 | _In_ PVOID VirtualAddress, 62 | _In_ SIZE_T RegionSize, 63 | _In_ ULONG NumberOfOffsets, 64 | _Inout_updates_(NumberOfOffsets) PCFG_CALL_TARGET_INFO OffsetInformation 65 | ) 66 | { 67 | if (PVOID pv = GetProcAddress(GetModuleHandle(L"Kernelbase"), "SetProcessValidCallTargets")) 68 | { 69 | __imp_SetProcessValidCallTargets = pv; 70 | } 71 | else 72 | { 73 | __imp_SetProcessValidCallTargets = SetProcessValidCallTargetsNotImpl; 74 | } 75 | 76 | return SetProcessValidCallTargets(hProcess, VirtualAddress, RegionSize, NumberOfOffsets, OffsetInformation); 77 | } 78 | 79 | EXTERN_C { 80 | PVOID __imp_SetProcessValidCallTargets = SetProcessValidCallTargetsTemp; 81 | } 82 | 83 | NTSTATUS SetExportValid(HANDLE hProcess, LPCVOID pv) 84 | { 85 | MEMORY_BASIC_INFORMATION mbi; 86 | 87 | NTSTATUS status = NtQueryVirtualMemory(hProcess, (void*)pv, MemoryBasicInformation, &mbi, sizeof(mbi), 0); 88 | 89 | if (0 <= status) 90 | { 91 | if (mbi.State != MEM_COMMIT || mbi.Type != MEM_IMAGE) 92 | { 93 | return STATUS_INVALID_ADDRESS; 94 | } 95 | 96 | CFG_CALL_TARGET_INFO OffsetInformation = { 97 | (ULONG_PTR)pv - (ULONG_PTR)mbi.BaseAddress, 98 | CFG_CALL_TARGET_CONVERT_EXPORT_SUPPRESSED_TO_VALID | CFG_CALL_TARGET_VALID 99 | }; 100 | 101 | return SetProcessValidCallTargets(hProcess, mbi.BaseAddress, mbi.RegionSize, 1, &OffsetInformation) && 102 | (OffsetInformation.Flags & CFG_CALL_TARGET_PROCESSED) ? STATUS_SUCCESS : STATUS_STRICT_CFG_VIOLATION; 103 | } 104 | 105 | return status; 106 | } 107 | 108 | NTSTATUS SetExportValid(HANDLE hProcess, LPCVOID pv1, LPCVOID pv2) 109 | { 110 | if (pv1 > pv2) 111 | { 112 | LPCVOID pv = pv2; 113 | pv2 = pv1, pv1 = pv; 114 | } 115 | 116 | MEMORY_BASIC_INFORMATION mbi; 117 | 118 | NTSTATUS status; 119 | 120 | if (0 <= (status = NtQueryVirtualMemory(hProcess, (void*)pv2, MemoryBasicInformation, &mbi, sizeof(mbi), 0))) 121 | { 122 | if (mbi.State != MEM_COMMIT || mbi.Type != MEM_IMAGE) 123 | { 124 | return STATUS_INVALID_ADDRESS; 125 | } 126 | 127 | CFG_CALL_TARGET_INFO OffsetInformation[] = { 128 | { ((ULONG_PTR)pv1 - (ULONG_PTR)mbi.AllocationBase) & ~15, CFG_CALL_TARGET_CONVERT_EXPORT_SUPPRESSED_TO_VALID | CFG_CALL_TARGET_VALID }, 129 | { ((ULONG_PTR)pv2 - (ULONG_PTR)mbi.AllocationBase) & ~15, CFG_CALL_TARGET_CONVERT_EXPORT_SUPPRESSED_TO_VALID | CFG_CALL_TARGET_VALID }, 130 | }; 131 | 132 | mbi.RegionSize += (ULONG_PTR)mbi.BaseAddress - (ULONG_PTR)mbi.AllocationBase; 133 | 134 | if (mbi.AllocationBase <= pv1) 135 | { 136 | return SetProcessValidCallTargets(hProcess, mbi.AllocationBase, 137 | mbi.RegionSize, _countof(OffsetInformation), OffsetInformation) && 138 | (OffsetInformation[0].Flags & CFG_CALL_TARGET_PROCESSED) && 139 | (OffsetInformation[1].Flags & CFG_CALL_TARGET_PROCESSED) ? STATUS_SUCCESS : STATUS_STRICT_CFG_VIOLATION; 140 | } 141 | 142 | if (!SetProcessValidCallTargets(hProcess, mbi.AllocationBase, mbi.RegionSize, 1, OffsetInformation + 1) || 143 | !(OffsetInformation[1].Flags & CFG_CALL_TARGET_PROCESSED)) 144 | { 145 | return STATUS_STRICT_CFG_VIOLATION; 146 | } 147 | 148 | return SetExportValid(hProcess, pv1); 149 | } 150 | 151 | return status; 152 | } 153 | 154 | _NT_END -------------------------------------------------------------------------------- /MEM DUMP/mem.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/MEM DUMP/mem.ico -------------------------------------------------------------------------------- /MEM DUMP/qpm.cpp: -------------------------------------------------------------------------------- 1 | #include "StdAfx.h" 2 | 3 | _NT_BEGIN 4 | 5 | #include "../tkn/tkn.h" 6 | 7 | NTSTATUS DoIoControl(ULONG code); 8 | NTSTATUS MyOpenProcess(PHANDLE ProcessHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID Cid); 9 | NTSTATUS MyOpenThread(PHANDLE ThreadHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID Cid); 10 | 11 | BOOLEAN IsExportSuppressionEnabled(HANDLE hProcess); 12 | NTSTATUS SetExportValid(HANDLE hProcess, LPCVOID pv1, LPCVOID pv2); 13 | NTSTATUS SetExportValid(HANDLE hProcess, LPCVOID pv); 14 | 15 | extern volatile const UCHAR guz; 16 | extern OBJECT_ATTRIBUTES zoa; 17 | 18 | #ifdef _WIN64 19 | 20 | #include "../wow/wow.h" 21 | 22 | BEGIN_DLL_FUNCS(ntdll, 0) 23 | FUNC(LdrQueryProcessModuleInformation), 24 | FUNC(RtlExitUserThread), 25 | END_DLL_FUNCS(); 26 | 27 | void InitWow64() 28 | { 29 | DLL_LIST_0::Process(&ntdll); 30 | } 31 | 32 | #endif 33 | 34 | void Add32Modules(PRTL_PROCESS_MODULES mods, PRTL_PROCESS_MODULES32 mods32, ULONG Size) 35 | { 36 | if (ULONG NumberOfModules = mods32->NumberOfModules) 37 | { 38 | if (Size == __builtin_offsetof(RTL_PROCESS_MODULES32, Modules) + NumberOfModules * sizeof(RTL_PROCESS_MODULE_INFORMATION32)) 39 | { 40 | PRTL_PROCESS_MODULE_INFORMATION Modules = mods->Modules + mods->NumberOfModules; 41 | 42 | mods->NumberOfModules += NumberOfModules; 43 | 44 | PRTL_PROCESS_MODULE_INFORMATION32 Modules32 = mods32->Modules; 45 | do 46 | { 47 | Modules->Flags = Modules32->Flags; 48 | Modules->ImageBase = (PVOID)(ULONG_PTR)Modules32->ImageBase; 49 | Modules->ImageSize = Modules32->ImageSize; 50 | Modules->InitOrderIndex = Modules32->InitOrderIndex; 51 | Modules->LoadCount = Modules32->LoadCount; 52 | Modules->LoadOrderIndex = Modules32->LoadOrderIndex; 53 | Modules->MappedBase = (PVOID)(ULONG_PTR)Modules32->MappedBase; 54 | Modules->OffsetToFileName = Modules32->OffsetToFileName; 55 | Modules->Section = (PVOID)(ULONG_PTR)Modules32->Section; 56 | 57 | strcpy(Modules++->FullPathName, Modules32++->FullPathName); 58 | 59 | } while (--NumberOfModules); 60 | } 61 | } 62 | } 63 | 64 | NTSTATUS StartQuery( 65 | _In_ HANDLE hProcess, 66 | _In_ PVOID RemoteBaseAddress, 67 | _In_ ULONG Size, 68 | _In_ BOOLEAN ExportSuppression, 69 | #ifdef _WIN64 70 | _In_ BOOL wow, 71 | #endif 72 | _Out_ PHANDLE phThread 73 | ) 74 | { 75 | PVOID pvLdrQueryProcessModuleInformation; 76 | PVOID pvRtlExitUserThread; 77 | NTSTATUS (NTAPI *QueueApcThread)(HANDLE hThread, PKNORMAL_ROUTINE , PVOID , PVOID , PVOID ); 78 | 79 | #ifdef _WIN64 80 | if (wow) 81 | { 82 | pvLdrQueryProcessModuleInformation = ntdll.funcs[0].pv; 83 | pvRtlExitUserThread = ntdll.funcs[1].pv; 84 | QueueApcThread = RtlQueueApcWow64Thread; 85 | } 86 | else 87 | #endif 88 | { 89 | pvLdrQueryProcessModuleInformation = LdrQueryProcessModuleInformation; 90 | pvRtlExitUserThread = RtlExitUserThread; 91 | QueueApcThread = ZwQueueApcThread; 92 | } 93 | 94 | NTSTATUS status; 95 | 96 | if (ExportSuppression) 97 | { 98 | if (0 > (status = SetExportValid(hProcess, pvLdrQueryProcessModuleInformation, pvRtlExitUserThread))) 99 | { 100 | return status; 101 | } 102 | } 103 | 104 | HANDLE hThread; 105 | if (0 <= (status = RtlCreateUserThread(hProcess, 0, TRUE, 0, 0, 0, pvRtlExitUserThread, 0, &hThread, 0))) 106 | { 107 | if (0 <= (status = QueueApcThread(hThread, 108 | (PKNORMAL_ROUTINE)pvLdrQueryProcessModuleInformation, 109 | RemoteBaseAddress, 110 | (PVOID)(ULONG_PTR)Size, 111 | (PBYTE)RemoteBaseAddress + Size))) 112 | { 113 | NtSetInformationThread(hThread, ThreadHideFromDebugger, 0, 0); 114 | 115 | if (0 <= (status = ZwResumeThread(hThread, 0))) 116 | { 117 | *phThread = hThread; 118 | 119 | return STATUS_SUCCESS; 120 | } 121 | } 122 | 123 | ZwTerminateThread(hThread, 0); 124 | NtClose(hThread); 125 | } 126 | 127 | return status; 128 | } 129 | 130 | void FreePM(_In_ PRTL_PROCESS_MODULES mods) 131 | { 132 | VirtualFree(mods, 0, MEM_RELEASE); 133 | } 134 | 135 | NTSTATUS QueryPM(_In_ HANDLE dwProcessId, _Out_ PRTL_PROCESS_MODULES* pmods) 136 | { 137 | HANDLE hProcess; 138 | 139 | CLIENT_ID cid = { dwProcessId }; 140 | NTSTATUS status = MyOpenProcess(&hProcess, 141 | PROCESS_VM_OPERATION|PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_SET_INFORMATION, &zoa, &cid); 142 | 143 | if (0 <= status) 144 | { 145 | PROCESS_EXTENDED_BASIC_INFORMATION pebi = {sizeof(pebi)}; 146 | 147 | if (0 <= (status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), 0))) 148 | { 149 | if (pebi.IsProcessDeleting) 150 | { 151 | status = STATUS_PROCESS_IS_TERMINATING; 152 | } 153 | else if (pebi.IsFrozen && pebi.IsStronglyNamed) 154 | { 155 | status = STATUS_INVALID_DEVICE_STATE; 156 | } 157 | else 158 | { 159 | enum { secshift = 17, secsize = (1 << secshift) }; 160 | 161 | #ifdef _WIN64 162 | if (!ntdll.funcs[0].pv || !ntdll.funcs[1].pv) 163 | #endif 164 | { 165 | pebi.IsWow64Process = 0; 166 | } 167 | 168 | LARGE_INTEGER SectionSize = { (pebi.IsWow64Process ? 2 : 1) << secshift }; 169 | 170 | HANDLE hSection; 171 | 172 | if (0 <= (status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, 0, &SectionSize, PAGE_READWRITE, SEC_COMMIT, 0))) 173 | { 174 | struct QueryBuf 175 | { 176 | ULONG NumberOfModules; 177 | UCHAR buf[secsize - 2 * sizeof(ULONG)]; 178 | ULONG ReturnedSize; 179 | }; 180 | 181 | union { 182 | PVOID BaseAddress = 0; 183 | PRTL_PROCESS_MODULES mods; 184 | QueryBuf* pQb; 185 | }; 186 | 187 | SIZE_T ViewSize = 0; 188 | 189 | if (0 <= (status = ZwMapViewOfSection(hSection, NtCurrentProcess(), 190 | &BaseAddress, 0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_READWRITE))) 191 | { 192 | BOOLEAN ExportSuppression = IsExportSuppressionEnabled(hProcess); 193 | 194 | PVOID RemoteBaseAddress = 0; 195 | 196 | if (0 <= (status = ZwMapViewOfSection(hSection, hProcess, &RemoteBaseAddress, 0, 197 | 0, 0, &(ViewSize = 0), ViewUnmap, 0, PAGE_READWRITE))) 198 | { 199 | DoIoControl(IOCTL_SetProtectedProcess); 200 | 201 | HANDLE hThreads[2]{}; 202 | 203 | if (0 <= (status = StartQuery(hProcess, RemoteBaseAddress, 204 | secsize - sizeof(ULONG), ExportSuppression, 205 | #ifdef _WIN64 206 | FALSE, 207 | #endif 208 | hThreads))) 209 | { 210 | ULONG HandleCount = 1; 211 | 212 | #ifdef _WIN64 213 | if (pebi.IsWow64Process && 0 <= (status = StartQuery( 214 | hProcess, RtlOffsetToPointer(RemoteBaseAddress, secsize), 215 | secsize - sizeof(ULONG), 216 | ExportSuppression, TRUE, hThreads + 1))) 217 | { 218 | HandleCount = 2; 219 | } 220 | #endif 221 | 222 | LARGE_INTEGER Timeout = { (ULONG)-10000000, -1 }; 223 | 224 | status = ZwWaitForMultipleObjects(HandleCount, hThreads, WaitAll, TRUE, &Timeout); 225 | 226 | if (status) 227 | { 228 | ULONG i = HandleCount; 229 | do 230 | { 231 | ZwTerminateThread(hThreads[--i], 0); 232 | } while (i); 233 | } 234 | 235 | status = STATUS_UNSUCCESSFUL; 236 | 237 | if (ULONG NumberOfModules = mods->NumberOfModules) 238 | { 239 | if (pQb->ReturnedSize == __builtin_offsetof(RTL_PROCESS_MODULES, Modules) + NumberOfModules * sizeof(RTL_PROCESS_MODULE_INFORMATION)) 240 | { 241 | #ifdef _WIN64 242 | if (HandleCount == 2) 243 | { 244 | union { 245 | PRTL_PROCESS_MODULES32 mods32; 246 | QueryBuf* pQb32; 247 | }; 248 | 249 | pQb32 = pQb + 1; 250 | 251 | Add32Modules(mods, mods32, pQb32->ReturnedSize); 252 | } 253 | #endif 254 | 255 | *pmods = mods, BaseAddress = 0, status = STATUS_SUCCESS; 256 | } 257 | } 258 | 259 | do 260 | { 261 | NtClose(hThreads[--HandleCount]); 262 | } while (HandleCount); 263 | 264 | } 265 | 266 | DoIoControl(IOCTL_DelProtectedProcess); 267 | 268 | ZwUnmapViewOfSection(hProcess, RemoteBaseAddress); 269 | } 270 | 271 | if (BaseAddress) ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress); 272 | } 273 | 274 | NtClose(hSection); 275 | } 276 | } 277 | } 278 | 279 | NtClose(hProcess); 280 | } 281 | 282 | return status; 283 | } 284 | 285 | _NT_END -------------------------------------------------------------------------------- /MEM DUMP/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by MemDump.rc 4 | // 5 | #define IDD_MEMDUMP_DIALOG 102 6 | #define IDR_MAINFRAME 128 7 | #define IDD_DIALOG2 129 8 | #define IDD_DIALOG1 141 9 | #define IDC_COMBO2 1000 10 | #define IDC_RADIO1 1001 11 | #define IDC_RADIO2 1002 12 | #define IDC_RADIO3 1003 13 | #define IDC_SPIN2 1005 14 | #define IDC_CHECK2 1006 15 | #define IDC_CHECK3 1007 16 | #define IDC_CHECK4 1008 17 | #define IDC_STATIC2 1011 18 | #define IDC_STATIC1 1012 19 | #define IDC_STATIC3 1013 20 | #define IDC_STATIC4 1014 21 | #define IDC_BUTTON3 1015 22 | #define IDC_BUTTON4 1016 23 | #define IDC_BUTTON5 1017 24 | #define IDC_BUTTON6 1018 25 | #define IDC_BUTTON7 1019 26 | #define IDC_BUTTON1 1101 27 | #define IDC_BUTTON2 1102 28 | #define IDC_EDIT1 1201 29 | #define IDC_EDIT2 1202 30 | #define IDC_EDIT3 1203 31 | #define IDC_EDIT4 1204 32 | #define IDC_EDIT5 1205 33 | #define IDC_EDIT6 1206 34 | #define IDC_EDIT7 1207 35 | #define IDC_EDIT8 1208 36 | #define IDC_EDIT9 1209 37 | #define IDC_EDIT10 1210 38 | #define IDC_EDIT11 1211 39 | #define IDC_EDIT12 1212 40 | #define IDC_EDIT13 1214 41 | #define IDC_COMBO1 1301 42 | #define IDC_CHECK1 1401 43 | 44 | // Next default values for new objects 45 | // 46 | #ifdef APSTUDIO_INVOKED 47 | #ifndef APSTUDIO_READONLY_SYMBOLS 48 | #define _APS_NEXT_RESOURCE_VALUE 130 49 | #define _APS_NEXT_COMMAND_VALUE 32771 50 | #define _APS_NEXT_CONTROL_VALUE 1020 51 | #define _APS_NEXT_SYMED_VALUE 101 52 | #endif 53 | #endif 54 | -------------------------------------------------------------------------------- /MEM DUMP/x64/MemDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/MEM DUMP/x64/MemDump.exe -------------------------------------------------------------------------------- /MEM DUMP/x86/MemDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/MEM DUMP/x86/MemDump.exe -------------------------------------------------------------------------------- /PP/CFG.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | _NT_BEGIN 4 | 5 | NTSTATUS 6 | GetProcessMitigationPolicy( 7 | _In_ HANDLE hProcess, 8 | _In_ PROCESS_MITIGATION_POLICY MitigationPolicy, 9 | _Out_writes_bytes_(ULONG) PVOID lpBuffer 10 | ) 11 | { 12 | struct PROCESS_MITIGATION { 13 | PROCESS_MITIGATION_POLICY Policy; 14 | ULONG Flags; 15 | }; 16 | 17 | PROCESS_MITIGATION m = { MitigationPolicy }; 18 | NTSTATUS status = NtQueryInformationProcess(hProcess, ProcessMitigationPolicy, &m, sizeof(m), 0); 19 | if (0 <= status) 20 | { 21 | *(PULONG)lpBuffer = m.Flags; 22 | return STATUS_SUCCESS; 23 | } 24 | 25 | return status; 26 | } 27 | 28 | BOOLEAN IsExportSuppressionEnabled(HANDLE hProcess) 29 | { 30 | PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY cfg; 31 | 32 | return 0 <= GetProcessMitigationPolicy(hProcess, ProcessControlFlowGuardPolicy, &cfg) && 33 | cfg.EnableControlFlowGuard && cfg.EnableExportSuppression; 34 | } 35 | 36 | BOOL WINAPI SetProcessValidCallTargetsNotImpl( 37 | _In_ HANDLE /*hProcess*/, 38 | _In_ PVOID /*VirtualAddress*/, 39 | _In_ SIZE_T /*RegionSize*/, 40 | _In_ ULONG /*NumberOfOffsets*/, 41 | _Inout_updates_(NumberOfOffsets) PCFG_CALL_TARGET_INFO /*OffsetInformation*/ 42 | ) 43 | { 44 | RtlNtStatusToDosError(STATUS_NOT_IMPLEMENTED); 45 | return FALSE; 46 | } 47 | 48 | EXTERN_C { 49 | extern PVOID __imp_SetProcessValidCallTargets; 50 | } 51 | 52 | #ifdef _X86_ 53 | #pragma comment(linker, "/alternatename:__imp__SetProcessValidCallTargets@20=___imp_SetProcessValidCallTargets") 54 | #pragma comment(linker, "/include:___imp_SetProcessValidCallTargets") 55 | #else 56 | #pragma comment(linker, "/include:__imp_SetProcessValidCallTargets") 57 | #endif 58 | 59 | BOOL WINAPI SetProcessValidCallTargetsTemp( 60 | _In_ HANDLE hProcess, 61 | _In_ PVOID VirtualAddress, 62 | _In_ SIZE_T RegionSize, 63 | _In_ ULONG NumberOfOffsets, 64 | _Inout_updates_(NumberOfOffsets) PCFG_CALL_TARGET_INFO OffsetInformation 65 | ) 66 | { 67 | if (PVOID pv = GetProcAddress(GetModuleHandle(L"Kernelbase"), "SetProcessValidCallTargets")) 68 | { 69 | __imp_SetProcessValidCallTargets = pv; 70 | } 71 | else 72 | { 73 | __imp_SetProcessValidCallTargets = SetProcessValidCallTargetsNotImpl; 74 | } 75 | 76 | return SetProcessValidCallTargets(hProcess, VirtualAddress, RegionSize, NumberOfOffsets, OffsetInformation); 77 | } 78 | 79 | EXTERN_C { 80 | PVOID __imp_SetProcessValidCallTargets = SetProcessValidCallTargetsTemp; 81 | } 82 | 83 | NTSTATUS SetExportValid(HANDLE hProcess, LPCVOID pv) 84 | { 85 | MEMORY_BASIC_INFORMATION mbi; 86 | 87 | NTSTATUS status = NtQueryVirtualMemory(hProcess, (void*)pv, MemoryBasicInformation, &mbi, sizeof(mbi), 0); 88 | 89 | if (0 <= status) 90 | { 91 | if (mbi.State != MEM_COMMIT || mbi.Type != MEM_IMAGE) 92 | { 93 | return STATUS_INVALID_ADDRESS; 94 | } 95 | 96 | CFG_CALL_TARGET_INFO OffsetInformation = { 97 | (ULONG_PTR)pv - (ULONG_PTR)mbi.BaseAddress, 98 | CFG_CALL_TARGET_CONVERT_EXPORT_SUPPRESSED_TO_VALID | CFG_CALL_TARGET_VALID 99 | }; 100 | 101 | return SetProcessValidCallTargets(hProcess, mbi.BaseAddress, mbi.RegionSize, 1, &OffsetInformation) && 102 | (OffsetInformation.Flags & CFG_CALL_TARGET_PROCESSED) ? STATUS_SUCCESS : STATUS_STRICT_CFG_VIOLATION; 103 | } 104 | 105 | return status; 106 | } 107 | 108 | NTSTATUS SetExportValid(HANDLE hProcess, LPCVOID pv1, LPCVOID pv2) 109 | { 110 | if (pv1 > pv2) 111 | { 112 | LPCVOID pv = pv2; 113 | pv2 = pv1, pv1 = pv; 114 | } 115 | 116 | MEMORY_BASIC_INFORMATION mbi; 117 | 118 | NTSTATUS status; 119 | 120 | if (0 <= (status = NtQueryVirtualMemory(hProcess, (void*)pv2, MemoryBasicInformation, &mbi, sizeof(mbi), 0))) 121 | { 122 | if (mbi.State != MEM_COMMIT || mbi.Type != MEM_IMAGE) 123 | { 124 | return STATUS_INVALID_ADDRESS; 125 | } 126 | 127 | CFG_CALL_TARGET_INFO OffsetInformation[] = { 128 | { ((ULONG_PTR)pv1 - (ULONG_PTR)mbi.AllocationBase) & ~15, CFG_CALL_TARGET_CONVERT_EXPORT_SUPPRESSED_TO_VALID | CFG_CALL_TARGET_VALID }, 129 | { ((ULONG_PTR)pv2 - (ULONG_PTR)mbi.AllocationBase) & ~15, CFG_CALL_TARGET_CONVERT_EXPORT_SUPPRESSED_TO_VALID | CFG_CALL_TARGET_VALID }, 130 | }; 131 | 132 | mbi.RegionSize += (ULONG_PTR)mbi.BaseAddress - (ULONG_PTR)mbi.AllocationBase; 133 | 134 | if (mbi.AllocationBase <= pv1) 135 | { 136 | return SetProcessValidCallTargets(hProcess, mbi.AllocationBase, 137 | mbi.RegionSize, _countof(OffsetInformation), OffsetInformation) && 138 | (OffsetInformation[0].Flags & CFG_CALL_TARGET_PROCESSED) && 139 | (OffsetInformation[1].Flags & CFG_CALL_TARGET_PROCESSED) ? STATUS_SUCCESS : STATUS_STRICT_CFG_VIOLATION; 140 | } 141 | 142 | if (!SetProcessValidCallTargets(hProcess, mbi.AllocationBase, mbi.RegionSize, 1, OffsetInformation + 1) || 143 | !(OffsetInformation[1].Flags & CFG_CALL_TARGET_PROCESSED)) 144 | { 145 | return STATUS_STRICT_CFG_VIOLATION; 146 | } 147 | 148 | return SetExportValid(hProcess, pv1); 149 | } 150 | 151 | return status; 152 | } 153 | 154 | _NT_END -------------------------------------------------------------------------------- /PP/DllList.cpp: -------------------------------------------------------------------------------- 1 | // PeVw.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "../ntver/nt_ver.h" 6 | _NT_BEGIN 7 | #include "../inc/initterm.h" 8 | #include "../winz/split.h" 9 | #include "common.h" 10 | #include "qpm.h" 11 | 12 | #include "../tkn/tkn.h" 13 | 14 | NTSTATUS DoIoControl(ULONG code); 15 | 16 | //#undef DbgPrint 17 | #pragma warning(disable : 4456) 18 | extern volatile const UCHAR guz = 0; 19 | OBJECT_ATTRIBUTES zoa = { sizeof(zoa) }; 20 | 21 | enum Colum { CID_ORDER, CID_COUNT, CID_BASE, CID_SIZE, CID_NAME, CID_MAX }; 22 | 23 | enum { SB_COUNTID, SB_DLLID, SB_INFOID, SB_STATUSID }; 24 | 25 | void SetEditText(HWND hwnd, PVOID txt); 26 | 27 | ULONG FormatStatus(NTSTATUS status, PWSTR lpBuffer, ULONG cch) 28 | { 29 | static HMODULE s_ntdll; 30 | if (!s_ntdll) 31 | { 32 | s_ntdll = GetModuleHandleW(L"ntdll"); 33 | } 34 | 35 | return s_ntdll ? FormatMessageW( 36 | FORMAT_MESSAGE_FROM_HMODULE|FORMAT_MESSAGE_IGNORE_INSERTS, s_ntdll, status, 0, lpBuffer, cch, 0) : 0; 37 | } 38 | 39 | void SetStatusMsg(NTSTATUS status, ZSDIFrameWnd* pMainFrame = ZGLOBALS::getMainFrame()) 40 | { 41 | WCHAR msg[0x100]; 42 | if (FormatStatus(status, msg, _countof(msg))) 43 | { 44 | pMainFrame->SetStatusText(SB_STATUSID, msg); 45 | } 46 | } 47 | 48 | void SetDllCount(ULONG cItems, ZSDIFrameWnd* pMainFrame = ZGLOBALS::getMainFrame()) 49 | { 50 | WCHAR buf[64]; 51 | swprintf_s(buf, _countof(buf), L"%u DLLs", cItems); 52 | pMainFrame->SetStatusText(SB_DLLID, buf); 53 | } 54 | 55 | ULONG Init(_Inout_ PSYSTEM_PROCESS_INFORMATION pspi) 56 | { 57 | ULONG NextEntryOffset = 0, n = 0; 58 | do 59 | { 60 | (PBYTE&)pspi += NextEntryOffset; 61 | pspi->PageDirectoryBase = 0; 62 | pspi->SpareLi1.LowPart = 0; 63 | pspi->SpareLi1.HighPart = STATUS_UNSUCCESSFUL; 64 | pspi->SpareLi2.QuadPart = 0; 65 | pspi->SpareLi3.QuadPart = 0; 66 | 67 | n++; 68 | 69 | } while (NextEntryOffset = pspi->NextEntryOffset); 70 | 71 | return n; 72 | } 73 | 74 | ULONG WINAPI QueryThread(NAMES* Table) 75 | { 76 | ULONG n = 0; 77 | PSYSTEM_PROCESS_INFORMATION pspi = Table->BuildListOfProcesses(); 78 | 79 | if (pspi) 80 | { 81 | n = Init(pspi); 82 | 83 | static LARGE_INTEGER SectionSize = { MaxThreads << secshift }; 84 | 85 | HANDLE hSection; 86 | 87 | if (0 <= NtCreateSection(&hSection, SECTION_ALL_ACCESS, 0, &SectionSize, PAGE_READWRITE, SEC_COMMIT, 0)) 88 | { 89 | PVOID BaseAddress = 0; 90 | SIZE_T ViewSize = 0; 91 | 92 | if (0 <= ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_READWRITE)) 93 | { 94 | DoIoControl(IOCTL_SetProtectedProcess); 95 | 96 | Table->QueryLoop(pspi, hSection, BaseAddress); 97 | 98 | DoIoControl(IOCTL_DelProtectedProcess); 99 | 100 | ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress); 101 | } 102 | 103 | NtClose(hSection); 104 | } 105 | } 106 | 107 | Table->Finish(n, pspi); 108 | Table->Release(); 109 | return 0; 110 | } 111 | 112 | ////////////////////////////////////////////////////////////////////////// 113 | 114 | HIMAGELIST CreateIL(HINSTANCE hInstance, int cx, int cy, UINT flags, DWORD n, WORD pID[]) 115 | { 116 | HIMAGELIST himl = ImageList_Create(cx, cy, flags, n, 0); 117 | 118 | if (himl) 119 | { 120 | do 121 | { 122 | if (HICON hi = (HICON)LoadImage(hInstance, MAKEINTRESOURCE(*pID++), IMAGE_ICON, 0, 0, 0)) 123 | { 124 | ImageList_ReplaceIcon(himl, -1, hi); 125 | DestroyIcon(hi); 126 | } 127 | } while (--n); 128 | } 129 | 130 | return himl; 131 | } 132 | 133 | HWND CreateToolWnd(PCSTR Name, HWND hwndParent) 134 | { 135 | int len = MultiByteToWideChar(CP_ACP, 0, Name, MAXDWORD, 0, 0); 136 | if (0 > len) return 0; 137 | 138 | STATIC_WSTRING(loaded_to, " loaded in:"); 139 | PWSTR sz = (PWSTR)alloca((len << 1) + sizeof(loaded_to) - 1); 140 | 141 | MultiByteToWideChar(CP_ACP, 0, Name, len, sz, len); 142 | wcscpy(sz + len - 1, loaded_to); 143 | 144 | int cx = GetSystemMetrics(SM_CXSCREEN), cy = GetSystemMetrics(SM_CYSCREEN); 145 | 146 | return CreateWindowExW(WS_EX_TOOLWINDOW, WC_EDIT, sz, 147 | WS_POPUPWINDOW|WS_THICKFRAME|WS_HSCROLL|WS_DLGFRAME|WS_VSCROLL|ES_MULTILINE|ES_READONLY, 148 | (cx - 400) >> 1, (cy - 480) >> 1, 149 | 400, 480, hwndParent, 0, 0, 0); 150 | } 151 | 152 | void ShowProtectedProcesses(HWND hwnd); 153 | void ShowSessions(HWND hwnd); 154 | void ShowPolicy(HWND hwnd); 155 | 156 | void ShowPopup(PCWSTR caption, HWND hwndParent, HFONT hFont, void (*SetText)(HWND hwnd)) 157 | { 158 | if (HWND hwnd = CreateWindowExW(0, WC_EDIT, caption, WS_OVERLAPPEDWINDOW|WS_VSCROLL|ES_MULTILINE|ES_READONLY, 159 | CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, hwndParent, 0, 0, 0)) 160 | { 161 | SendMessage(hwnd, WM_SETFONT, (WPARAM)hFont, 0); 162 | 163 | SetText(hwnd); 164 | 165 | ShowWindow(hwnd, SW_SHOWNORMAL); 166 | } 167 | } 168 | 169 | NTSTATUS MyOpenProcess(PHANDLE ProcessHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID Cid); 170 | 171 | NTSTATUS AllocForEdit(ULONG cb, void** ppv) 172 | { 173 | if (PVOID buf = LocalAlloc(0, cb)) 174 | { 175 | *ppv = buf; 176 | return STATUS_SUCCESS; 177 | } 178 | 179 | return STATUS_NO_MEMORY; 180 | } 181 | 182 | NTSTATUS ShowCmdLineOld(HANDLE UniqueProcess, HWND hwnd) 183 | { 184 | HANDLE hProcess; 185 | CLIENT_ID cid = { UniqueProcess }; 186 | NTSTATUS status = MyOpenProcess(&hProcess, PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, &zoa, &cid); 187 | if (0 <= status) 188 | { 189 | PROCESS_BASIC_INFORMATION pbi; 190 | UNICODE_STRING CmdLine; 191 | union { 192 | _RTL_USER_PROCESS_PARAMETERS * ProcessParameters; 193 | PVOID buf; 194 | }; 195 | 196 | if ( 197 | 0 <= (status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), 0)) && 198 | 0 <= (status = ZwReadVirtualMemory(hProcess, &((_PEB*)pbi.PebBaseAddress)->ProcessParameters, &ProcessParameters, sizeof(ProcessParameters), 0)) && 199 | 0 <= (status = ZwReadVirtualMemory(hProcess, &ProcessParameters->CommandLine, &CmdLine, sizeof(CmdLine), 0)) && 200 | 0 <= (status = AllocForEdit(CmdLine.Length + sizeof(WCHAR), &buf)) 201 | ) 202 | { 203 | if (0 <= (status = ZwReadVirtualMemory(hProcess, CmdLine.Buffer, buf, CmdLine.Length, 0))) 204 | { 205 | *(PWSTR)RtlOffsetToPointer(buf, CmdLine.Length) = 0; 206 | SetEditText(hwnd, buf), buf = 0; 207 | } 208 | 209 | LocalFree(buf); 210 | } 211 | 212 | NtClose(hProcess); 213 | } 214 | 215 | return status; 216 | } 217 | 218 | void ShowCmdLineEx(PCSTR cmdline, HANDLE UniqueProcess, HWND hwndParent, HFONT hFont) 219 | { 220 | WCHAR caption[32]; 221 | swprintf_s(caption, _countof(caption), L"%X Process CmdLine", (DWORD)(ULONG_PTR)UniqueProcess); 222 | if (HWND hwnd = CreateWindowExW(0, WC_EDIT, caption, WS_OVERLAPPEDWINDOW|WS_VSCROLL|ES_MULTILINE|ES_READONLY, 223 | CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, hwndParent, 0, 0, 0)) 224 | { 225 | SendMessage(hwnd, WM_SETFONT, (WPARAM)hFont, 0); 226 | 227 | if (cmdline) 228 | { 229 | PWSTR psz = 0; 230 | ULONG cch = 0; 231 | while (cch = MultiByteToWideChar(CP_UTF8, 0, cmdline, MAXULONG, psz, cch)) 232 | { 233 | if (psz) 234 | { 235 | SetEditText(hwnd, psz), psz = 0; 236 | break; 237 | } 238 | 239 | if (!(psz = (PWSTR)LocalAlloc(0, cch*sizeof(WCHAR)))) 240 | { 241 | break; 242 | } 243 | } 244 | 245 | if (psz) 246 | { 247 | LocalFree(psz); 248 | } 249 | } 250 | else if (g_nt_ver.Version < _WIN32_WINNT_WINBLUE) 251 | { 252 | ShowCmdLineOld(UniqueProcess, hwnd); 253 | } 254 | 255 | ShowWindow(hwnd, SW_SHOWNORMAL); 256 | } 257 | } 258 | 259 | void InitTreeView(HWND hwnd, TVINSERTSTRUCT* tvis, _In_ PSYSTEM_PROCESS_INFORMATION pspi, _In_ HANDLE UniqueProcessId) 260 | { 261 | pspi->SpareLi3.LowPart = 1; 262 | 263 | HTREEITEM hParent = tvis->hParent; 264 | 265 | tvis->item.lParam = hParent == TVI_ROOT ? -(LPARAM)UniqueProcessId : (LPARAM)pspi; 266 | 267 | tvis->hParent = TreeView_InsertItem(hwnd, tvis); 268 | 269 | while (ULONG NextEntryOffset = pspi->NextEntryOffset) 270 | { 271 | (PBYTE&)pspi += NextEntryOffset; 272 | 273 | if (pspi->InheritedFromUniqueProcessId == UniqueProcessId) 274 | { 275 | InitTreeView(hwnd, tvis, pspi, pspi->UniqueProcessId); 276 | } 277 | } 278 | 279 | tvis->hParent = hParent; 280 | } 281 | 282 | void InitTreeView(HWND hwnd, PSYSTEM_PROCESS_INFORMATION pspi) 283 | { 284 | TVINSERTSTRUCT tvis = { TVI_ROOT, TVI_LAST }; 285 | 286 | tvis.item.mask = TVIF_PARAM|TVIF_TEXT|TVIF_STATE|TVIF_IMAGE|TVIF_SELECTEDIMAGE; 287 | tvis.item.state = TVIS_EXPANDED; 288 | tvis.item.stateMask = TVIS_EXPANDED; 289 | tvis.item.iImage = I_IMAGENONE; 290 | tvis.item.iSelectedImage = 0; 291 | 292 | tvis.item.pszText = LPSTR_TEXTCALLBACK; 293 | tvis.item.lParam = 0; 294 | 295 | PSYSTEM_PROCESS_INFORMATION _pspi = pspi; 296 | 297 | ULONG _NextEntryOffset = pspi->NextEntryOffset; 298 | 299 | ULONG NextEntryOffset = 0; 300 | do 301 | { 302 | (PBYTE&)pspi += NextEntryOffset; 303 | 304 | if (HANDLE UniqueProcessId = pspi->UniqueProcessId) 305 | { 306 | if (!pspi->SpareLi3.LowPart) 307 | { 308 | _pspi->NextEntryOffset = RtlPointerToOffset(_pspi, pspi); 309 | InitTreeView(hwnd, &tvis, _pspi, pspi->InheritedFromUniqueProcessId); 310 | } 311 | } 312 | 313 | } while (NextEntryOffset = pspi->NextEntryOffset); 314 | 315 | _pspi->NextEntryOffset = _NextEntryOffset; 316 | } 317 | 318 | class MySplit : public ZSplitWnd 319 | { 320 | NAMES* _pTable = 0; 321 | PSYSTEM_PROCESS_INFORMATION _pspi = 0, _pspiCurrent = 0; 322 | PROCESS_MODULE** _ppm = 0; 323 | HIMAGELIST _himl = 0; 324 | HFONT _hFont = 0; 325 | HWND _hwndLV, _hwndTV; 326 | ULONG _iSubItem = CID_ORDER, _iSelItem = MAXULONG, _iMenuHeight = 0, _cItems = 0; 327 | LONG _sortBits = 0, _flags = (1 << f_ready); 328 | 329 | enum{ 330 | f_ready, f_grid, f_inDelete, f_focus, f_select 331 | }; 332 | 333 | BOOL OnCreate(HWND hwnd) 334 | { 335 | NONCLIENTMETRICS ncm = { sizeof(NONCLIENTMETRICS) }; 336 | if (SystemParametersInfo(SPI_GETNONCLIENTMETRICS, sizeof(ncm), &ncm, 0)) 337 | { 338 | ncm.lfCaptionFont.lfHeight = -ncm.iMenuHeight; 339 | ncm.lfCaptionFont.lfWeight = FW_NORMAL; 340 | ncm.lfCaptionFont.lfQuality = CLEARTYPE_QUALITY; 341 | ncm.lfCaptionFont.lfPitchAndFamily = FIXED_PITCH|FF_MODERN; 342 | wcscpy(ncm.lfCaptionFont.lfFaceName, L"Courier New"); 343 | 344 | if (HFONT hFont = CreateFontIndirect(&ncm.lfCaptionFont)) 345 | { 346 | _iMenuHeight = ncm.iMenuHeight; 347 | 348 | if (NAMES* pTable = new NAMES(hwnd)) 349 | { 350 | if (pTable->Create(0x200000)) 351 | { 352 | _pTable = pTable, _hFont = hFont; 353 | return TRUE; 354 | } 355 | 356 | delete pTable; 357 | } 358 | 359 | DeleteObject(hFont); 360 | } 361 | } 362 | 363 | return FALSE; 364 | } 365 | 366 | void FreePPM() 367 | { 368 | if (PROCESS_MODULE** ppm = _ppm) 369 | { 370 | _pTable->freea(ppm), _ppm = 0; 371 | } 372 | } 373 | 374 | void OnDestroy() 375 | { 376 | if (NAMES* pTable = _pTable) 377 | { 378 | FreePPM(); 379 | pTable->Release(); 380 | } 381 | 382 | if (HFONT hFont = _hFont) 383 | { 384 | DeleteObject(hFont); 385 | } 386 | } 387 | 388 | void OnTaskReady(ULONG n, PSYSTEM_PROCESS_INFORMATION pspi); 389 | 390 | void GetDispInfo(TVITEMW* item); 391 | void GetDispInfo(LVITEMW* item); 392 | void GetInfoTip(NMTVGETINFOTIP* item); 393 | void ItemChanged(NMLISTVIEW* item); 394 | void ColumClick(HWND hwndLV, ULONG iSubItem); 395 | 396 | void BuildProcessList() 397 | { 398 | if (_bittest(&_flags, f_ready)) 399 | { 400 | _bittestandreset(&_flags, f_ready); 401 | 402 | FreePPM(); 403 | 404 | NAMES* pTable = _pTable; 405 | 406 | pTable->Reset(); 407 | pTable->AddRef(); 408 | 409 | HANDLE hThread = CreateThread(0, 0, (PTHREAD_START_ROUTINE)QueryThread, pTable, 0, 0); 410 | if (hThread) 411 | { 412 | NtClose(hThread); 413 | } 414 | else 415 | { 416 | pTable->Release(); 417 | } 418 | 419 | ZSDIFrameWnd* pFrame = ZGLOBALS::get()->MainFrame; 420 | 421 | pFrame->SetStatusText(SB_DLLID, 0); 422 | pFrame->SetStatusText(SB_INFOID, 0); 423 | 424 | pFrame->EnableCmd(ID_SESSIONS, FALSE); 425 | pFrame->EnableCmd(ID_REFRESH, FALSE); 426 | pFrame->EnableCmd(ID_COPY, FALSE); 427 | pFrame->EnableCmd(ID_FIND, FALSE); 428 | pFrame->EnableCmd(ID_CMDLINE, FALSE); 429 | 430 | _iSelItem = MAXULONG, _pspiCurrent = 0, _pspi = 0; 431 | 432 | _flags &= ~((1 << f_select) | (1 << f_focus)); 433 | 434 | _bittestandset(&_flags, f_inDelete); 435 | SendMessage(_hwndTV, WM_SETREDRAW, FALSE, 0); 436 | TreeView_DeleteAllItems(_hwndTV); 437 | _bittestandreset(&_flags, f_inDelete); 438 | 439 | ListView_SetItemCountEx(_hwndLV, 0, 0); 440 | 441 | if (!hThread) 442 | { 443 | Done(0); 444 | } 445 | } 446 | } 447 | 448 | void Done(ULONG n) 449 | { 450 | WCHAR sz[64]; 451 | swprintf_s(sz, _countof(sz), L" %u Processes", n); 452 | ZSDIFrameWnd* pFrame = ZGLOBALS::getMainFrame(); 453 | 454 | pFrame->SetStatusText(SB_COUNTID, sz); 455 | pFrame->EnableCmd(ID_REFRESH, TRUE); 456 | pFrame->EnableCmd(ID_SESSIONS, TRUE); 457 | 458 | SendMessage(_hwndTV, WM_SETREDRAW, TRUE, 0); 459 | _bittestandset(&_flags, f_ready); 460 | } 461 | 462 | void DisplayDLLs(LPARAM lParam) 463 | { 464 | ZSDIFrameWnd* pMainFrame = ZGLOBALS::getMainFrame(); 465 | 466 | pMainFrame->EnableCmd(ID_COPY, FALSE); 467 | pMainFrame->EnableCmd(ID_FIND, FALSE); 468 | pMainFrame->EnableCmd(ID_CMDLINE, TRUE); 469 | pMainFrame->SetStatusText(SB_STATUSID, 0); 470 | 471 | _flags &= ~((1 << f_select) | (1 << f_focus)); 472 | 473 | _iSelItem = MAXULONG, _pspiCurrent = 0, _cItems = 0; 474 | 475 | NAMES* pTable = _pTable; 476 | 477 | FreePPM(); 478 | 479 | if (0 > lParam) 480 | { 481 | ListView_SetItemCountEx(_hwndLV, 0, 0); 482 | pMainFrame->SetStatusText(SB_INFOID, 0); 483 | 484 | SetStatusMsg(STATUS_PROCESS_IS_TERMINATING, pMainFrame); 485 | 486 | return ; 487 | } 488 | 489 | if (0 < lParam) 490 | { 491 | DisplayDLLs((PSYSTEM_PROCESS_INFORMATION)lParam); 492 | return ; 493 | } 494 | 495 | ULONG cItems = RtlNumberGenericTableElementsAvl(pTable); 496 | 497 | if (cItems) 498 | { 499 | SetDllCount(cItems, pMainFrame); 500 | 501 | if (PROCESS_MODULE** ppm = (PROCESS_MODULE**)pTable->malloca(cItems * sizeof(PROCESS_MODULE*))) 502 | { 503 | pTable->FillModules(ppm); 504 | _ppm = ppm, _cItems = cItems; 505 | 506 | HWND hwndLV = _hwndLV; 507 | 508 | switch (ULONG iSubItem = _iSubItem) 509 | { 510 | case CID_ORDER: 511 | case CID_BASE: 512 | { 513 | LVCOLUMN lc = { LVCF_FMT, LVCFMT_LEFT }; 514 | ListView_SetColumn(hwndLV, iSubItem, &lc); 515 | lc.fmt = LVCFMT_LEFT|HDF_SORTUP; 516 | ListView_SetColumn(hwndLV, CID_NAME, &lc); 517 | _bittestandreset(&_sortBits, CID_NAME); 518 | _iSubItem = CID_NAME; 519 | } 520 | break; 521 | default: 522 | _bittestandcomplement(&_sortBits, iSubItem); 523 | ColumClick(hwndLV, iSubItem); 524 | } 525 | 526 | ListView_SetItemCountEx(hwndLV, cItems, 0); 527 | } 528 | } 529 | } 530 | 531 | void DisplayDLLs(PSYSTEM_PROCESS_INFORMATION pspi) 532 | { 533 | _pspiCurrent = pspi, _cItems = 0; 534 | WCHAR buf[128]; 535 | 536 | TIME_FIELDS tf; 537 | LARGE_INTEGER locatime; 538 | RtlSystemTimeToLocalTime(&pspi->CreateTime, &locatime); 539 | RtlTimeToTimeFields(&locatime, &tf); 540 | 541 | char sz[32]; 542 | ULONG count = (DWORD)(pspi->WorkingSetSize >> 10); 543 | if (count < 1000) 544 | { 545 | sprintf_s(sz, _countof(sz), "%u", count); 546 | } 547 | else 548 | { 549 | sprintf_s(sz, _countof(sz), "%u,%03u", count /1000, count % 1000); 550 | } 551 | 552 | union { 553 | LONG Flags; 554 | struct { 555 | ULONG IsProtectedProcess : 1; 556 | ULONG IsWow64Process : 1; 557 | ULONG IsProcessDeleting : 1; 558 | ULONG IsCrossSessionCreate : 1; 559 | ULONG IsFrozen : 1; 560 | ULONG IsBackground : 1; 561 | ULONG IsStronglyNamed : 1; 562 | ULONG IsSecureProcess : 1; 563 | ULONG IsSubsystemProcess : 1; 564 | ULONG SpareBits : 23; 565 | }; 566 | }; 567 | 568 | Flags = get_Flags(pspi); 569 | 570 | WCHAR cz[] = L"........."; 571 | 572 | static const char sf[] = "PWDCFBNSY"; 573 | 574 | ULONG i = _countof(cz) - 1; 575 | do 576 | { 577 | if (_bittest(&Flags, --i)) 578 | { 579 | cz[i] = sf[i]; 580 | } 581 | } while (i); 582 | 583 | swprintf_s(buf, _countof(buf), L"%s Threads=%d | Session=%u | Handles=%u | %SK | %d-%02d-%02d %02d:%02d:%02d", 584 | cz, pspi->NumberOfThreads, pspi->SessionId, pspi->HandleCount, sz, 585 | tf.Year, tf.Month, tf.Day, tf.Hour, tf.Minute, tf.Second); 586 | 587 | ZGLOBALS::getMainFrame()->SetStatusText(SB_INFOID, buf); 588 | 589 | ULONG cItems = 0; 590 | 591 | if (PROCESS_MODULE* pm = get_modules(pspi, &count)) 592 | { 593 | SetDllCount(count); 594 | 595 | if (PROCESS_MODULE** ppm = (PROCESS_MODULE**)_pTable->malloca(count * sizeof(PROCESS_MODULE*))) 596 | { 597 | _ppm = ppm, cItems = count, _cItems = count; 598 | 599 | do 600 | { 601 | *ppm++ = pm++; 602 | } while (--count); 603 | 604 | ULONG iSubItem = _iSubItem; 605 | if (iSubItem < CID_MAX) 606 | { 607 | _bittestandcomplement(&_sortBits, iSubItem); 608 | ColumClick(_hwndLV, iSubItem); 609 | } 610 | } 611 | } 612 | 613 | if (NTSTATUS status = get_status(pspi)) 614 | { 615 | SetStatusMsg(status); 616 | } 617 | 618 | ListView_SetItemCountEx(_hwndLV, cItems, 0); 619 | } 620 | 621 | virtual LRESULT WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam); 622 | 623 | virtual HWND CreateChild(BOOL lt, HWND hwndParent, int x, int y, int nWidth, int nHeight) 624 | { 625 | HWND hwnd = 0; 626 | 627 | if (lt) 628 | { 629 | if (hwnd = CreateWindowExW(0, WC_TREEVIEW, 0, WS_CHILD|WS_VISIBLE|WS_BORDER| 630 | TVS_LINESATROOT|TVS_HASLINES|TVS_HASBUTTONS|TVS_DISABLEDRAGDROP| 631 | TVS_TRACKSELECT|TVS_EDITLABELS|TVS_INFOTIP, x, y, nWidth, nHeight, hwndParent, (HMENU)1, 0, 0)) 632 | { 633 | SendMessage(hwnd, WM_SETFONT, (WPARAM)_hFont, 0); 634 | 635 | _hwndTV = hwnd; 636 | 637 | if (_himl) 638 | { 639 | TreeView_SetImageList(hwnd, _himl, TVSIL_NORMAL); 640 | } 641 | 642 | BuildProcessList(); 643 | } 644 | } 645 | else 646 | { 647 | if (hwnd = CreateWindowExW(0, WC_LISTVIEW, 0, 648 | WS_VISIBLE|WS_CHILD|LVS_REPORT|LVS_SHOWSELALWAYS|LVS_OWNERDATA| 649 | LVS_SHAREIMAGELISTS|LVS_SINGLESEL|WS_HSCROLL|WS_VSCROLL|WS_BORDER, 650 | x, y, nWidth, nHeight, hwndParent, (HMENU)2, 0, 0)) 651 | { 652 | SetWindowTheme(hwnd, L"Explorer", 0); 653 | SendMessage(hwnd, WM_SETFONT, (WPARAM)_hFont, 0); 654 | _hwndLV = hwnd; 655 | 656 | LV_COLUMN lvclmn = { 657 | LVCF_TEXT | LVCF_WIDTH | LVCF_FMT | LVCF_SUBITEM, LVCFMT_LEFT 658 | }; 659 | 660 | static const PCWSTR headers[] = { 661 | L" # ", L" N ", L" Base ", L" Size ", L" Name " 662 | }; 663 | 664 | static const ULONG lens[] = { 3, 3, 10 * sizeof(PVOID) >> 3, 6, 48 }; 665 | 666 | C_ASSERT(_countof(headers) == _countof(lens)); 667 | 668 | do 669 | { 670 | lvclmn.pszText = const_cast(headers[lvclmn.iSubItem]); 671 | lvclmn.cx = lens[lvclmn.iSubItem] * _iMenuHeight; 672 | lvclmn.fmt = lvclmn.iSubItem == CID_ORDER ? HDF_SORTDOWN|LVCFMT_LEFT : LVCFMT_LEFT; 673 | 674 | ListView_InsertColumn(hwnd, lvclmn.iSubItem, &lvclmn); 675 | } while (++lvclmn.iSubItem < _countof(headers)); 676 | 677 | ListView_SetExtendedListViewStyle(hwnd, LVS_EX_FULLROWSELECT|LVS_EX_HEADERDRAGDROP|LVS_EX_LABELTIP|LVS_EX_DOUBLEBUFFER); 678 | } 679 | } 680 | 681 | return hwnd; 682 | } 683 | 684 | void OnCopy(HWND hwnd) 685 | { 686 | if (_iSelItem < _cItems) 687 | { 688 | if (PROCESS_MODULE** ppm = _ppm) 689 | { 690 | PROCESS_MODULE* pm = ppm[_iSelItem]; 691 | 692 | PWSTR buf = 0; 693 | int cch = 0; 694 | ULONG cb; 695 | HGLOBAL hg = 0; 696 | 697 | PVOID args[] = { pm->ImageBase, (PVOID)(ULONG_PTR)pm->ImageSize, (PVOID)pm->FullPathName }; 698 | while (0 < (cch = _vsnwprintf(buf, cch, L"%p %x %S", (va_list)args))) 699 | { 700 | if (buf) 701 | { 702 | if (OpenClipboard(hwnd)) 703 | { 704 | EmptyClipboard(); 705 | if (SetClipboardData(CF_UNICODETEXT, hg)) hg = 0; 706 | CloseClipboard(); 707 | } 708 | break; 709 | } 710 | 711 | if (!(hg = GlobalAlloc(GMEM_MOVEABLE, cb = ++cch * sizeof(WCHAR))) || 712 | !(buf = (PWSTR)GlobalLock(hg))) 713 | { 714 | break; 715 | } 716 | 717 | } 718 | if (buf) GlobalUnlock(hg); 719 | if (hg) GlobalFree(hg); 720 | } 721 | } 722 | } 723 | 724 | void ShowOwnedProcesses(HWND hwndParent) 725 | { 726 | if (_iSelItem < _cItems) 727 | { 728 | if (PVOID buf = LocalAlloc(0, 0x10000)) 729 | { 730 | PWSTR psz = (PWSTR)buf; 731 | ULONG cch = 0x8000; 732 | *psz = 0; 733 | 734 | PROCESS_MODULE* pm = _ppm[_iSelItem]; 735 | PCSTR FullPathName = pm->FullPathName; 736 | 737 | ULONG NextEntryOffset = 0; 738 | PSYSTEM_PROCESS_INFORMATION pspi = _pspi; 739 | 740 | do 741 | { 742 | (ULONG_PTR&)pspi += NextEntryOffset; 743 | 744 | ULONG n; 745 | if (PROCESS_MODULE* pm = get_modules(pspi, &n)) 746 | { 747 | do 748 | { 749 | if (pm->FullPathName == FullPathName) 750 | { 751 | int len = swprintf_s(psz, cch, L"%04x %wZ\r\n", (ULONG)(ULONG_PTR)pspi->UniqueProcessId, &pspi->ImageName); 752 | if (0 < len) 753 | { 754 | psz += len, cch -= len; 755 | } 756 | break; 757 | } 758 | } while (pm++, --n); 759 | } 760 | 761 | } while (NextEntryOffset = pspi->NextEntryOffset); 762 | 763 | PCSTR FileName = strrchr(FullPathName, '\\'); 764 | 765 | if (!FileName && !(FileName = strrchr(FullPathName, '/'))) 766 | { 767 | FileName = FullPathName; 768 | } 769 | else 770 | { 771 | FileName++; 772 | } 773 | 774 | if (HWND hwnd = CreateToolWnd( FileName, hwndParent)) 775 | { 776 | SendMessage(hwnd, WM_SETFONT, (WPARAM)_hFont, 0); 777 | 778 | SetEditText(hwnd, buf), buf = 0; 779 | ShowWindow(hwnd, SW_SHOW); 780 | } 781 | 782 | LocalFree(buf); 783 | } 784 | } 785 | } 786 | 787 | ~MySplit() 788 | { 789 | if (HIMAGELIST himl = _himl) 790 | { 791 | ImageList_Destroy(_himl); 792 | } 793 | } 794 | 795 | public: 796 | 797 | MySplit(int t) : ZSplitWnd(TRUE, t, (HBRUSH)(1+COLOR_WINDOW)) 798 | { 799 | static WORD id[] = { IDR_MENU1 }; 800 | _himl = CreateIL((HINSTANCE)&__ImageBase, 16, 16, ILC_COLOR32, RTL_NUMBER_OF(id), id); 801 | } 802 | }; 803 | 804 | void ShowPolicy(HWND hWndParent, HFONT hFont); 805 | void ShowProtectedProcesses(HWND hwnd, HFONT hFont); 806 | 807 | struct Sort 808 | { 809 | int s; 810 | union { 811 | ULONG iSubItem; 812 | Colum c; 813 | }; 814 | 815 | static int CompareU(ULONG_PTR a, ULONG_PTR b) 816 | { 817 | if (a < b) return -1; 818 | if (a > b) return +1; 819 | return 0; 820 | } 821 | 822 | int Compare(PROCESS_MODULE* p, PROCESS_MODULE* q) 823 | { 824 | switch (c) 825 | { 826 | case CID_ORDER: 827 | return CompareU(p->Index, q->Index); 828 | case CID_COUNT: 829 | return CompareU(GetLoadCount(p), GetLoadCount(q)); 830 | case CID_BASE: 831 | return CompareU((ULONG_PTR)p->ImageBase, (ULONG_PTR)q->ImageBase); 832 | case CID_SIZE: 833 | return CompareU(p->ImageSize, q->ImageSize); 834 | case CID_NAME: 835 | return strcmp(p->FullPathName, q->FullPathName); 836 | } 837 | 838 | return 0; 839 | } 840 | 841 | static int __cdecl FuncCompare(void * This, const void * p, const void * q) 842 | { 843 | return reinterpret_cast(This)->s * 844 | reinterpret_cast(This)->Compare(*(PROCESS_MODULE**)p, *(PROCESS_MODULE**)q); 845 | } 846 | }; 847 | 848 | void MySplit::ColumClick(HWND hwndLV, ULONG iSubItem) 849 | { 850 | if (iSubItem < CID_MAX) 851 | { 852 | if (!_pspiCurrent) 853 | { 854 | switch (iSubItem) 855 | { 856 | case CID_ORDER: 857 | case CID_BASE: 858 | return ; 859 | } 860 | } 861 | 862 | if (PROCESS_MODULE** ppm = _ppm) 863 | { 864 | Sort ctx { _bittestandcomplement(&_sortBits, iSubItem) ? +1 : -1, iSubItem }; 865 | 866 | qsort_s(ppm, _cItems, sizeof(PVOID), Sort::FuncCompare, &ctx); 867 | 868 | LVCOLUMN lc = { LVCF_FMT, LVCFMT_LEFT }; 869 | 870 | if (_iSubItem != iSubItem) 871 | { 872 | ListView_SetColumn(hwndLV, _iSubItem, &lc); 873 | _iSubItem = iSubItem; 874 | } 875 | 876 | lc.fmt = 0 < ctx.s ? LVCFMT_LEFT|HDF_SORTUP : LVCFMT_LEFT|HDF_SORTDOWN; 877 | 878 | ListView_SetColumn(hwndLV, iSubItem, &lc); 879 | 880 | InvalidateRect(hwndLV, 0, 0); 881 | } 882 | } 883 | } 884 | 885 | void MySplit::ItemChanged(NMLISTVIEW* item) 886 | { 887 | UINT uNewState = item->uNewState; 888 | 889 | if (0 <= item->iItem) 890 | { 891 | if (uNewState & LVIS_FOCUSED) 892 | { 893 | _bittestandset(&_flags, f_focus); 894 | } 895 | else 896 | { 897 | _bittestandreset(&_flags, f_focus); 898 | } 899 | } 900 | 901 | if (_bittest(&_flags, f_focus)) 902 | { 903 | ZSDIFrameWnd* frame = ZGLOBALS::getMainFrame(); 904 | 905 | if (uNewState & LVIS_SELECTED) 906 | { 907 | _iSelItem = item->iItem; 908 | 909 | if (!_bittestandset(&_flags, f_select)) 910 | { 911 | frame->EnableCmd(ID_COPY, TRUE); 912 | frame->EnableCmd(ID_FIND, TRUE); 913 | } 914 | } 915 | else 916 | { 917 | _iSelItem = MAXULONG; 918 | if (_bittestandreset(&_flags, f_select)) 919 | { 920 | frame->EnableCmd(ID_COPY, FALSE); 921 | frame->EnableCmd(ID_FIND, FALSE); 922 | } 923 | } 924 | } 925 | } 926 | 927 | void MySplit::GetInfoTip(NMTVGETINFOTIP* item) 928 | { 929 | if (ULONG cchTextMax = item->cchTextMax) 930 | { 931 | PWSTR pszText = item->pszText; 932 | 933 | union { 934 | LPARAM lParam; 935 | PSYSTEM_PROCESS_INFORMATION pspi; 936 | }; 937 | 938 | lParam = item->lParam; 939 | 940 | if (0 > lParam) 941 | { 942 | FormatStatus(STATUS_PROCESS_IS_TERMINATING, pszText, cchTextMax); 943 | return ; 944 | } 945 | 946 | if (!lParam) 947 | { 948 | return ; 949 | } 950 | 951 | if (PCSTR psz = get_cmdline(pspi)) 952 | { 953 | MultiByteToWideChar(CP_UTF8, 0, psz, MAXULONG, pszText, cchTextMax); 954 | return ; 955 | } 956 | } 957 | } 958 | 959 | void MySplit::GetDispInfo(LVITEMW* item) 960 | { 961 | if (PROCESS_MODULE** ppm = _ppm) 962 | { 963 | if (item->mask & LVIF_TEXT) 964 | { 965 | ULONG iItem = item->iItem; 966 | 967 | if (iItem < _cItems) 968 | { 969 | if (ULONG cchTextMax = item->cchTextMax) 970 | { 971 | PWSTR pszText = item->pszText; 972 | 973 | *pszText = 0; 974 | 975 | PROCESS_MODULE* pm = ppm[iItem]; 976 | 977 | switch (item->iSubItem) 978 | { 979 | case CID_ORDER: 980 | if (_pspiCurrent) swprintf_s(pszText, cchTextMax, L"%03u", pm->Index); 981 | break; 982 | case CID_COUNT: 983 | swprintf_s(pszText, cchTextMax, L"%03u", GetLoadCount(pm)); 984 | break; 985 | case CID_BASE: 986 | if (_pspiCurrent) swprintf_s(pszText, cchTextMax, L"%p", pm->ImageBase); 987 | break; 988 | case CID_SIZE: 989 | swprintf_s(pszText, cchTextMax, L"%8x", pm->ImageSize); 990 | break; 991 | case CID_NAME: 992 | swprintf_s(pszText, cchTextMax, L"%S", pm->FullPathName); 993 | break; 994 | } 995 | } 996 | } 997 | } 998 | } 999 | } 1000 | 1001 | void MySplit::GetDispInfo(TVITEMW* item) 1002 | { 1003 | if (item->mask & TVIF_TEXT) 1004 | { 1005 | if (ULONG cchTextMax = item->cchTextMax) 1006 | { 1007 | PWSTR pszText = item->pszText; 1008 | 1009 | union { 1010 | LPARAM lParam; 1011 | PSYSTEM_PROCESS_INFORMATION pspi; 1012 | }; 1013 | 1014 | if (0 > (lParam = item->lParam)) 1015 | { 1016 | swprintf_s(pszText, cchTextMax, L"%x", (ULONG)(ULONG_PTR)-lParam); 1017 | } 1018 | else if (0 < lParam) 1019 | { 1020 | if (0 > swprintf_s(pszText, cchTextMax, L"%04x %wZ", (ULONG)(ULONG_PTR)pspi->UniqueProcessId, &pspi->ImageName)) 1021 | { 1022 | __debugbreak(); 1023 | } 1024 | } 1025 | else 1026 | { 1027 | wcscpy_s(pszText, cchTextMax, L"ALL"); 1028 | } 1029 | } 1030 | } 1031 | } 1032 | 1033 | void MySplit::OnTaskReady(ULONG n, PSYSTEM_PROCESS_INFORMATION pspi) 1034 | { 1035 | if (pspi) 1036 | { 1037 | _pspi = pspi; 1038 | InitTreeView(_hwndTV, pspi); 1039 | } 1040 | 1041 | Done(n); 1042 | } 1043 | 1044 | LRESULT MySplit::WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) 1045 | { 1046 | switch (uMsg) 1047 | { 1048 | case WM_NCCREATE: 1049 | if (!OnCreate(hwnd)) 1050 | { 1051 | return 0; 1052 | } 1053 | break; 1054 | 1055 | case WM_NCDESTROY: 1056 | OnDestroy(); 1057 | break; 1058 | 1059 | case WM_COMMAND: 1060 | switch (wParam) 1061 | { 1062 | case ID_REFRESH: 1063 | BuildProcessList(); 1064 | break; 1065 | 1066 | case ID_GRID: 1067 | ListView_SetExtendedListViewStyle(_hwndLV, _bittestandcomplement(&_flags, f_grid) ? 1068 | LVS_EX_FULLROWSELECT|LVS_EX_HEADERDRAGDROP|LVS_EX_LABELTIP|LVS_EX_DOUBLEBUFFER 1069 | : LVS_EX_GRIDLINES|LVS_EX_FULLROWSELECT|LVS_EX_HEADERDRAGDROP|LVS_EX_LABELTIP|LVS_EX_DOUBLEBUFFER); 1070 | break; 1071 | 1072 | case ID_COPY: 1073 | OnCopy(hwnd); 1074 | break; 1075 | 1076 | case ID_FIND: 1077 | ShowOwnedProcesses(hwnd); 1078 | break; 1079 | 1080 | case ID_PROTECTED: 1081 | ShowProtectedProcesses(ZGLOBALS::get()->getMainHWND(), _hFont); 1082 | break; 1083 | 1084 | case ID_SESSIONS: 1085 | ShowPopup(L"Logon Sessions", ZGLOBALS::get()->getMainHWND(), _hFont, ShowSessions); 1086 | break; 1087 | 1088 | case ID_POLICY: 1089 | ShowPolicy(ZGLOBALS::get()->getMainHWND(), _hFont); 1090 | break; 1091 | 1092 | case ID_CMDLINE: 1093 | if (_pspiCurrent) 1094 | { 1095 | ShowCmdLineEx(get_cmdline(_pspiCurrent), _pspiCurrent->UniqueProcessId, hwnd, _hFont); 1096 | } 1097 | break; 1098 | } 1099 | break; 1100 | 1101 | case WM_PSI_READY: 1102 | OnTaskReady((ULONG)wParam, (PSYSTEM_PROCESS_INFORMATION)lParam); 1103 | break; 1104 | 1105 | case WM_NOTIFY: 1106 | switch (((NMHDR*)lParam)->code) 1107 | { 1108 | case TVN_GETDISPINFOW: 1109 | if (!_bittest(&_flags, f_inDelete)) 1110 | { 1111 | GetDispInfo(&((LPNMTVDISPINFO)lParam)->item); 1112 | } 1113 | break; 1114 | 1115 | case TVN_SELCHANGED: 1116 | if (!_bittest(&_flags, f_inDelete)) 1117 | { 1118 | DisplayDLLs(((LPNMTREEVIEW)lParam)->itemNew.lParam); 1119 | } 1120 | break; 1121 | 1122 | case TVN_GETINFOTIP: 1123 | if (!_bittest(&_flags, f_inDelete)) 1124 | { 1125 | GetInfoTip((NMTVGETINFOTIP*)lParam); 1126 | } 1127 | break; 1128 | 1129 | case LVN_GETDISPINFO: 1130 | GetDispInfo(&((NMLVDISPINFO*)lParam)->item); 1131 | break; 1132 | 1133 | case LVN_COLUMNCLICK: 1134 | ColumClick(((LPNMLISTVIEW)lParam)->hdr.hwndFrom, ((LPNMLISTVIEW)lParam)->iSubItem); 1135 | break; 1136 | 1137 | case LVN_ITEMCHANGED: 1138 | ItemChanged((LPNMLISTVIEW)lParam); 1139 | break; 1140 | } 1141 | } 1142 | return ZSplitWnd::WindowProc(hwnd, uMsg, wParam, lParam); 1143 | } 1144 | 1145 | class ZMainWnd : public ZSDIFrameWnd 1146 | { 1147 | HWND _hwnd; 1148 | LONG _maskCurrent, _maskNew; 1149 | 1150 | virtual LRESULT WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam); 1151 | 1152 | virtual BOOL CreateSB(HWND hwnd); 1153 | virtual BOOL CreateTB(HWND hwnd); 1154 | 1155 | virtual PCUNICODE_STRING getPosName() 1156 | { 1157 | STATIC_UNICODE_STRING_(MainWnd); 1158 | return &MainWnd; 1159 | } 1160 | 1161 | virtual BOOL CreateClient(HWND hwnd, int x, int y, int nWidth, int nHeight) 1162 | { 1163 | if (MySplit* p = new MySplit(nWidth>>2)) 1164 | { 1165 | _hwnd = p->Create(0, 0, WS_CHILD|WS_VISIBLE|WS_CLIPCHILDREN, x, y, nWidth, nHeight, hwnd, 0, 0); 1166 | p->Release(); 1167 | } 1168 | 1169 | return _hwnd != 0; 1170 | } 1171 | }; 1172 | 1173 | BOOL ZMainWnd::CreateSB(HWND hwnd) 1174 | { 1175 | if (hwnd = ZStatusBar::Create(hwnd)) 1176 | { 1177 | NONCLIENTMETRICS ncm = { sizeof(NONCLIENTMETRICS) }; 1178 | if (SystemParametersInfo(SPI_GETNONCLIENTMETRICS, sizeof(ncm), &ncm, 0)) 1179 | { 1180 | int pp[] = { 5*ncm.iMenuHeight, 9*ncm.iMenuHeight, 32*ncm.iMenuHeight, -1 }; 1181 | SetParts(pp, _countof(pp)); 1182 | } 1183 | 1184 | return TRUE; 1185 | } 1186 | return FALSE; 1187 | } 1188 | 1189 | BOOL ZMainWnd::CreateTB(HWND hwnd) 1190 | { 1191 | static TBBUTTON g_btns[] = { 1192 | {IMAGE_BITMAP, ID_REFRESH, 0, BTNS_AUTOSIZE, {}, (DWORD_PTR)L" Refresh ", -1}, 1193 | {IMAGE_BITMAP, ID_CMDLINE, 0, BTNS_AUTOSIZE, {}, (DWORD_PTR)L" Command Line ", -1}, 1194 | {IMAGE_BITMAP, ID_GRID, TBSTATE_ENABLED, BTNS_AUTOSIZE, {}, (DWORD_PTR)L" Display Grid ", -1}, 1195 | {IMAGE_BITMAP, ID_COPY, 0, BTNS_AUTOSIZE, {}, (DWORD_PTR)L" Copy Name ", -1}, 1196 | {IMAGE_BITMAP, ID_FIND, 0, BTNS_AUTOSIZE, {}, (DWORD_PTR)L" Find ", -1}, 1197 | {IMAGE_BITMAP, ID_PROTECTED, TBSTATE_ENABLED, BTNS_AUTOSIZE, {}, (DWORD_PTR)L" Protected List ", -1}, 1198 | {IMAGE_BITMAP, ID_SESSIONS, TBSTATE_ENABLED, BTNS_AUTOSIZE, {}, (DWORD_PTR)L" Logon Sessions ", -1}, 1199 | {IMAGE_BITMAP, ID_POLICY, TBSTATE_ENABLED, BTNS_AUTOSIZE, {}, (DWORD_PTR)L" Policy ", -1}, 1200 | }; 1201 | 1202 | return ZToolBar::Create(hwnd, (HINSTANCE)&__ImageBase, 0, 0, 16, 16, 1203 | g_btns, g_nt_ver.Version < _WIN32_WINNT_WIN8 ? _countof(g_btns) - 1 : _countof(g_btns), TRUE) != 0; 1204 | } 1205 | 1206 | LRESULT ZMainWnd::WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) 1207 | { 1208 | switch (uMsg) 1209 | { 1210 | case WM_COMMAND: 1211 | SendMessage(_hwnd, WM_COMMAND, wParam, 0); 1212 | break; 1213 | } 1214 | return ZSDIFrameWnd::WindowProc(hwnd, uMsg, wParam, lParam); 1215 | } 1216 | 1217 | void zmain() 1218 | { 1219 | ZGLOBALS globals; 1220 | ZApp app; 1221 | ZRegistry reg; 1222 | 1223 | if (0 <= reg.Create(L"Software\\{9618DB6D-97D9-4ded-A8E7-422E46BD9C87}")) 1224 | { 1225 | HWND hwnd = 0; 1226 | 1227 | if (ZMainWnd* p = new ZMainWnd) 1228 | { 1229 | hwnd = p->ZSDIFrameWnd::Create(L"Processes Tree | Dll List", (HINSTANCE)&__ImageBase, MAKEINTRESOURCE(IDR_MENU1), TRUE); 1230 | 1231 | p->Release(); 1232 | } 1233 | 1234 | if (hwnd) 1235 | { 1236 | app.Run(); 1237 | } 1238 | } 1239 | } 1240 | 1241 | NTSTATUS AdjustPrivileges() 1242 | { 1243 | HANDLE hToken; 1244 | NTSTATUS status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); 1245 | if (0 <= status) 1246 | { 1247 | BEGIN_PRIVILEGES(tp, 2) 1248 | LAA(SE_DEBUG_PRIVILEGE), 1249 | LAA(SE_LOAD_DRIVER_PRIVILEGE) 1250 | END_PRIVILEGES 1251 | status = NtAdjustPrivilegesToken(hToken, FALSE, const_cast(&tp), 0, 0, 0); 1252 | NtClose(hToken); 1253 | } 1254 | return status; 1255 | } 1256 | 1257 | void InitDriver(); 1258 | void InitWow64(); 1259 | 1260 | void ep(void*) 1261 | { 1262 | #ifndef _WIN64 1263 | PVOID wow; 1264 | if (0 > NtQueryInformationProcess(NtCurrentProcess(), ProcessWow64Information, &wow, sizeof(wow), 0) || wow) 1265 | { 1266 | MessageBox(0, L"The 32-bit version of this program is not compatible with the 64-bit Windows you're running.", 1267 | L"Machine Type Mismatch", MB_ICONWARNING); 1268 | ExitProcess(0); 1269 | } 1270 | #else 1271 | InitWow64(); 1272 | #endif 1273 | 1274 | AdjustPrivileges(); 1275 | 1276 | InitDriver(); 1277 | 1278 | initterm(); 1279 | zmain(); 1280 | 1281 | destroyterm(); 1282 | 1283 | ExitProcess(0); 1284 | } 1285 | 1286 | _NT_END -------------------------------------------------------------------------------- /PP/Policy.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | _NT_BEGIN 4 | 5 | #include "../winz/window.h" 6 | #include "buf.h" 7 | 8 | NTSTATUS MyOpenProcess(PHANDLE ProcessHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID Cid); 9 | 10 | extern OBJECT_ATTRIBUTES zoa; 11 | 12 | class ZSF : public ZWnd 13 | { 14 | public: 15 | struct CP { 16 | PCWSTR psz1, psz2; 17 | HFONT hFont; 18 | }; 19 | protected: 20 | private: 21 | HWND _hwndEdit1, _hwndEdit2; 22 | int _y; 23 | 24 | virtual LRESULT WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) 25 | { 26 | switch (uMsg) 27 | { 28 | case WM_ERASEBKGND: 29 | return TRUE; 30 | 31 | case WM_PAINT: 32 | return EmptyPaint(hwnd); 33 | 34 | case WM_SIZE: 35 | switch (wParam) 36 | { 37 | case SIZE_MAXIMIZED: 38 | case SIZE_RESTORED: 39 | case SIZE_MINIMIZED: 40 | int cx = GET_X_LPARAM(lParam); 41 | MoveWindow(_hwndEdit1, 0, 0, cx, _y, TRUE); 42 | MoveWindow(_hwndEdit2, 0, _y, cx, GET_Y_LPARAM(lParam) - _y, TRUE); 43 | } 44 | break; 45 | case WM_CREATE: 46 | RECT rc; 47 | GetClientRect(hwnd, &rc); 48 | CP* cp = reinterpret_cast(reinterpret_cast(lParam)->lpCreateParams); 49 | CreateClient(hwnd, rc.right, rc.bottom, cp->psz1, cp->psz2, cp->hFont); 50 | break; 51 | } 52 | return __super::WindowProc(hwnd, uMsg, wParam, lParam); 53 | } 54 | 55 | virtual BOOL CreateClient(HWND hWndParent, int nWidth, int nHeight, PCWSTR psz1, PCWSTR psz2, HFONT hFont) 56 | { 57 | int y = nHeight / 2; 58 | 59 | HWND hwnd = CreateWindowExW(0, WC_EDIT, 0, WS_CHILD|WS_VISIBLE|ES_MULTILINE|ES_READONLY, 60 | 0, 0, nWidth, y, hWndParent, 0, 0, 0); 61 | 62 | _hwndEdit1 = hwnd; 63 | 64 | SendMessage(hwnd, WM_SETFONT, (WPARAM)hFont, 0); 65 | 66 | SetWindowTextW(hwnd, psz1); 67 | 68 | if (HDC hdc = GetDC(hwnd)) 69 | { 70 | TEXTMETRIC tm; 71 | HGDIOBJ ho = SelectObject(hdc, hFont); 72 | if (GetTextMetricsW(hdc, &tm)) 73 | { 74 | MoveWindow(hwnd, 0, 0, nWidth, y = 75 | (tm.tmHeight * (4*(ULONG)SendMessage(hwnd, EM_GETLINECOUNT, 0, 0)+1))/4, TRUE); 76 | _y = y; 77 | } 78 | SelectObject(hdc, ho); 79 | ReleaseDC(hwnd, hdc); 80 | } 81 | 82 | hwnd = CreateWindowExW(0, WC_EDIT, 0, WS_CHILD|WS_VISIBLE|ES_MULTILINE|WS_VSCROLL|ES_READONLY, 83 | 0, y, nWidth, nHeight - y, hWndParent, 0, 0, 0); 84 | 85 | SendMessage(hwnd, WM_SETFONT, (WPARAM)hFont, 0); 86 | 87 | _hwndEdit2 = hwnd; 88 | 89 | SetWindowTextW(hwnd, psz2); 90 | 91 | return TRUE; 92 | } 93 | }; 94 | 95 | void ShowE2(HWND hWndParent, PCWSTR Caption, PCWSTR psz1, PCWSTR psz2, HFONT hFont ) 96 | { 97 | if (ZSF* p = new ZSF) 98 | { 99 | ZSF::CP cp = { psz1, psz2, hFont }; 100 | 101 | if (HWND hwnd = p->Create(0, Caption, WS_OVERLAPPEDWINDOW|WS_CLIPCHILDREN, 102 | CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, hWndParent, 0, &cp)) 103 | { 104 | ShowWindow(hwnd, SW_SHOW); 105 | } 106 | 107 | p->Release(); 108 | } 109 | } 110 | 111 | BOOL 112 | GetProcessMitigationPolicy( 113 | _In_ HANDLE hProcess, 114 | _In_ PROCESS_MITIGATION_POLICY MitigationPolicy, 115 | _Out_writes_bytes_(DWORD) PVOID lpBuffer 116 | ) 117 | { 118 | struct PROCESS_MITIGATION { 119 | PROCESS_MITIGATION_POLICY Policy; 120 | DWORD Flags; 121 | }; 122 | 123 | PROCESS_MITIGATION m = { MitigationPolicy }; 124 | NTSTATUS status = NtQueryInformationProcess(hProcess, ProcessMitigationPolicy, &m, sizeof(m), 0); 125 | if (0 <= status) 126 | { 127 | *(PULONG)lpBuffer = m.Flags; 128 | return TRUE; 129 | } 130 | 131 | SetLastError(RtlNtStatusToDosError(status)); 132 | return FALSE; 133 | } 134 | 135 | 136 | void els3(WLog& log, PVOID buf) 137 | { 138 | union { 139 | PBYTE pb; 140 | PVOID pv; 141 | PSYSTEM_PROCESS_INFORMATION pspi; 142 | }; 143 | 144 | pv = buf; 145 | ULONG NextEntryOffset = 0; 146 | 147 | do 148 | { 149 | pb += NextEntryOffset; 150 | 151 | CLIENT_ID cid = { pspi->UniqueProcessId }; 152 | 153 | if (cid.UniqueProcess) 154 | { 155 | HANDLE hProcess; 156 | NTSTATUS status = MyOpenProcess(&hProcess, PROCESS_QUERY_INFORMATION, &zoa, &cid); 157 | if (0 > status) 158 | { 159 | log(L"[ ] %04x(%04x) Open(%wZ)=%x\r\n", 160 | (ULONG)(ULONG_PTR)pspi->UniqueProcessId, 161 | (ULONG)(ULONG_PTR)pspi->InheritedFromUniqueProcessId, 162 | &pspi->ImageName, status); 163 | } 164 | else 165 | { 166 | union { 167 | PROCESS_MITIGATION_DYNAMIC_CODE_POLICY dcp; 168 | PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY cfg; 169 | PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY bsp; 170 | PROCESS_MITIGATION_CHILD_PROCESS_POLICY cpp; 171 | }; 172 | 173 | WCHAR sz[] = L".... ... ..... ..."; 174 | 175 | if (GetProcessMitigationPolicy(hProcess, ProcessDynamicCodePolicy, &dcp)) 176 | { 177 | if (dcp.ProhibitDynamicCode) sz[0] = '#'; 178 | if (dcp.AllowThreadOptOut) sz[1] = '#'; 179 | if (dcp.AllowRemoteDowngrade) sz[2] = '#'; 180 | if (dcp.AuditProhibitDynamicCode) sz[3] = '#'; 181 | } 182 | 183 | if (GetProcessMitigationPolicy(hProcess, ProcessControlFlowGuardPolicy, &cfg)) 184 | { 185 | if (cfg.EnableControlFlowGuard) sz[5] = '#'; 186 | if (cfg.EnableExportSuppression) sz[6] = '#'; 187 | if (cfg.StrictMode) sz[7] = '#'; 188 | } 189 | 190 | if (GetProcessMitigationPolicy(hProcess, ProcessSignaturePolicy, &bsp)) 191 | { 192 | if (bsp.MicrosoftSignedOnly) sz[9] = '#'; 193 | if (bsp.StoreSignedOnly) sz[10] = '#'; 194 | if (bsp.MitigationOptIn) sz[11] = '#'; 195 | if (bsp.AuditMicrosoftSignedOnly) sz[12] = '#'; 196 | if (bsp.AuditStoreSignedOnly) sz[13] = '#'; 197 | } 198 | 199 | if (GetProcessMitigationPolicy(hProcess, ProcessChildProcessPolicy, &cpp)) 200 | { 201 | if (cpp.NoChildProcessCreation) sz[15] = '#'; 202 | if (cpp.AuditNoChildProcessCreation) sz[16] = '#'; 203 | if (cpp.AllowSecureProcessCreation) sz[17] = '#'; 204 | } 205 | 206 | log(L"[%s] %04x(%04x) %wZ\r\n", sz, 207 | (ULONG)(ULONG_PTR)pspi->UniqueProcessId, 208 | (ULONG)(ULONG_PTR)pspi->InheritedFromUniqueProcessId, 209 | &pspi->ImageName); 210 | 211 | NtClose(hProcess); 212 | } 213 | } 214 | 215 | } while (NextEntryOffset = pspi->NextEntryOffset); 216 | } 217 | 218 | void els3(WLog& log) 219 | { 220 | NTSTATUS status; 221 | ULONG cb = 0x20000; 222 | 223 | do 224 | { 225 | status = STATUS_INSUFFICIENT_RESOURCES; 226 | 227 | if (PVOID pv = LocalAlloc(0, cb)) 228 | { 229 | if (0 <= (status = NtQuerySystemInformation(SystemProcessInformation, pv, cb, &cb))) 230 | { 231 | els3(log, pv); 232 | } 233 | LocalFree(pv); 234 | } 235 | 236 | } while (status == STATUS_INFO_LENGTH_MISMATCH); 237 | 238 | if (0 > status) 239 | { 240 | log(L"QuerySystemInformation(SystemProcessInformation)=%x\r\n", status); 241 | log[status]; 242 | } 243 | } 244 | 245 | void ShowPolicy(HWND hWndParent, HFONT hFont) 246 | { 247 | if (PWSTR buf = new WCHAR[0x40000]) 248 | { 249 | WLog log(buf, 0x40000); 250 | els3(log); 251 | ShowE2(hWndParent, L"Mitigation Policy", 252 | L"[#... ... ..... ...] ProhibitDynamicCode\r\n" 253 | L"[.#.. ... ..... ...] AllowThreadOptOut\r\n" 254 | L"[..#. ... ..... ...] AllowRemoteDowngrade\r\n" 255 | L"[...# ... ..... ...] AuditProhibitDynamicCode\r\n" 256 | L"[.... #.. ..... ...] EnableControlFlowGuard\r\n" 257 | L"[.... .#. ..... ...] EnableExportSuppression\r\n" 258 | L"[.... ..# ..... ...] StrictMode\r\n" 259 | L"[.... ... #.... ...] MicrosoftSignedOnly\r\n" 260 | L"[.... ... .#... ...] StoreSignedOnly\r\n" 261 | L"[.... ... ..#.. ...] MitigationOptIn\r\n" 262 | L"[.... ... ...#. ...] AuditMicrosoftSignedOnly\r\n" 263 | L"[.... ... ....# ...] AuditStoreSignedOnly\r\n" 264 | L"[.... ... ..... #..] NoChildProcessCreation\r\n" 265 | L"[.... ... ..... .#.] AuditNoChildProcessCreation\r\n" 266 | L"[.... ... ..... ..#] AllowSecureProcessCreation", 267 | log, hFont ); 268 | 269 | delete [] buf; 270 | } 271 | } 272 | 273 | _NT_END -------------------------------------------------------------------------------- /PP/Processes.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/PP/Processes.exe -------------------------------------------------------------------------------- /PP/buf.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | _NT_BEGIN 4 | 5 | #include "buf.h" 6 | 7 | void SetEditText(HWND hwnd, PVOID txt) 8 | { 9 | PVOID pv = (PVOID)SendMessage(hwnd, EM_GETHANDLE, 0, 0); 10 | SendMessage(hwnd, EM_SETHANDLE, (WPARAM)txt, 0); 11 | if (pv) 12 | { 13 | LocalFree(pv); 14 | } 15 | } 16 | 17 | void WLog::operator >> (HWND hwnd) 18 | { 19 | SetEditText(hwnd, _BaseAddress); 20 | _BaseAddress = 0; 21 | } 22 | 23 | WLog& WLog::operator << (WCHAR c) 24 | { 25 | if (_Ptr < _RegionSize) 26 | { 27 | *(PWSTR)((PBYTE)_BaseAddress + _Ptr) = c; 28 | _Ptr += sizeof(WCHAR); 29 | } 30 | return *this; 31 | } 32 | 33 | WLog& WLog::operator ()(PCWSTR format, ...) 34 | { 35 | va_list args; 36 | va_start(args, format); 37 | 38 | int len = _vsnwprintf_s(_buf(), _cch(), _TRUNCATE, format, args); 39 | 40 | if (0 < len) 41 | { 42 | _Ptr += len * sizeof(WCHAR); 43 | } 44 | 45 | va_end(args); 46 | 47 | return *this; 48 | } 49 | 50 | WLog& WLog::operator[](NTSTATUS status) 51 | { 52 | if (status) 53 | { 54 | static HMODULE hNT; 55 | 56 | if (!hNT) 57 | { 58 | hNT = GetModuleHandle(L"ntdll"); 59 | } 60 | 61 | if (ULONG n = FormatMessageW(FORMAT_MESSAGE_FROM_HMODULE|FORMAT_MESSAGE_IGNORE_INSERTS, hNT, status, 0, _buf(), _cch(), 0)) 62 | { 63 | _Ptr += n * sizeof(WCHAR); 64 | } 65 | } 66 | return *this; 67 | } 68 | 69 | _NT_END -------------------------------------------------------------------------------- /PP/buf.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class WLog 4 | { 5 | PVOID _BaseAddress; 6 | ULONG _RegionSize, _Ptr; 7 | public: 8 | 9 | WLog(WLog&&) = delete; 10 | WLog(WLog&) = delete; 11 | WLog(PVOID BaseAddress, ULONG RegionSize): _BaseAddress(BaseAddress), _RegionSize(RegionSize), _Ptr(0) { } 12 | 13 | operator PCWSTR() 14 | { 15 | return (PCWSTR)_BaseAddress; 16 | } 17 | 18 | PWSTR _buf() 19 | { 20 | return (PWSTR)((PBYTE)_BaseAddress + _Ptr); 21 | } 22 | 23 | ULONG _cch() 24 | { 25 | return (_RegionSize - _Ptr) / sizeof(WCHAR); 26 | } 27 | 28 | ULONG size() 29 | { 30 | return _Ptr; 31 | } 32 | 33 | void operator >> (HWND hwnd); 34 | 35 | WLog& operator << (WCHAR c); 36 | 37 | WLog& operator ()(PCWSTR format, ...); 38 | 39 | WLog& operator[](NTSTATUS status); 40 | }; 41 | -------------------------------------------------------------------------------- /PP/common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "../winz/app.h" 4 | #include "../winz/Frame.h" 5 | #include "../winz/mdi.h" 6 | #include "../inc/idcres.h" 7 | #include "resource.h" 8 | 9 | #ifdef _WIN64 10 | #define uptoul _wcstoui64 11 | #else 12 | #define uptoul wcstoul 13 | #endif 14 | 15 | -------------------------------------------------------------------------------- /PP/qpm.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #include "..\NtVer\nt_ver.h" 4 | _NT_BEGIN 5 | 6 | #include "../tkn/tkn.h" 7 | #include "qpm.h" 8 | 9 | HANDLE g_hDrv; 10 | 11 | void InitDriver() 12 | { 13 | STATIC_UNICODE_STRING(tkn, "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\{FC81D8A3-6002-44bf-931A-352B95C4522F}"); 14 | 15 | switch (ZwLoadDriver((PUNICODE_STRING)&tkn)) 16 | { 17 | case 0: 18 | case STATUS_IMAGE_ALREADY_LOADED: 19 | IO_STATUS_BLOCK iosb; 20 | STATIC_OBJECT_ATTRIBUTES(oa, "\\device\\69766781178D422cA183775611A8EE55"); 21 | NtOpenFile(&g_hDrv, SYNCHRONIZE, &oa, &iosb, FILE_SHARE_VALID_FLAGS, FILE_SYNCHRONOUS_IO_NONALERT); 22 | break; 23 | } 24 | } 25 | 26 | NTSTATUS DoIoControl(ULONG code) 27 | { 28 | IO_STATUS_BLOCK iosb; 29 | return g_hDrv ? NtDeviceIoControlFile(g_hDrv, 0, 0, 0, &iosb, code, 0, 0, 0, 0) : STATUS_INVALID_HANDLE; 30 | } 31 | 32 | NTSTATUS MyOpenProcess(PHANDLE ProcessHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID Cid) 33 | { 34 | if (g_hDrv) 35 | { 36 | IO_STATUS_BLOCK iosb; 37 | NTSTATUS status = NtDeviceIoControlFile(g_hDrv, 0, 0, 0, &iosb, IOCTL_OpenProcess, &Cid->UniqueProcess, sizeof(HANDLE), 0, 0); 38 | *ProcessHandle = (HANDLE)iosb.Information; 39 | return status; 40 | } 41 | return NtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, Cid); 42 | } 43 | 44 | #ifdef _WIN64 45 | 46 | #include "../wow/wow.h" 47 | 48 | BEGIN_DLL_FUNCS(ntdll, 0) 49 | FUNC(LdrQueryProcessModuleInformation), 50 | FUNC(RtlExitUserThread), 51 | END_DLL_FUNCS(); 52 | 53 | void InitWow64() 54 | { 55 | DLL_LIST_0::Process(&ntdll); 56 | } 57 | 58 | #endif 59 | 60 | BOOLEAN IsExportSuppressionEnabled(HANDLE hProcess); 61 | NTSTATUS SetExportValid(HANDLE hProcess, LPCVOID pv1, LPCVOID pv2); 62 | 63 | struct THREAD_INFO 64 | { 65 | union { 66 | HANDLE hProcess; 67 | struct 68 | { 69 | ULONG_PTR IsWow64Process : 1; 70 | ULONG_PTR ExportSuppressed : 1; 71 | }; 72 | }; 73 | 74 | union { 75 | HANDLE hThread; 76 | struct 77 | { 78 | ULONG_PTR IsWow64Thread : 1; 79 | }; 80 | }; 81 | 82 | PVOID RemoteViewBase; 83 | PSYSTEM_PROCESS_INFORMATION pspi; 84 | 85 | void Cleanup() 86 | { 87 | ZwUnmapViewOfSection(hProcess, RemoteViewBase), RemoteViewBase = 0; 88 | NtClose(hProcess), hProcess = 0; 89 | } 90 | }; 91 | 92 | ULONG FormatWaitArray(_In_ THREAD_INFO* pta, ULONG n, _Out_ PHANDLE lpHandles, _Out_ PULONG Indexes) 93 | { 94 | ULONG nCount = 0, i = 0; 95 | do 96 | { 97 | if (HANDLE hThread = pta++->hThread) 98 | { 99 | *Indexes++ = i, *lpHandles++ = hThread, nCount++; 100 | } 101 | } while (i++, --n); 102 | 103 | return nCount; 104 | } 105 | 106 | struct NAME_EX 107 | { 108 | union { 109 | ULONG Value; 110 | ULONG offset : 24; 111 | struct { 112 | UCHAR pad[3]; 113 | UCHAR count; 114 | }; 115 | }; 116 | CHAR buf[]; 117 | }; 118 | 119 | C_ASSERT(sizeof(NAME_EX)==4); 120 | 121 | ULONG GetLoadCount(PROCESS_MODULE* pm) 122 | { 123 | return CONTAINING_RECORD(pm->FullPathName, NAME_EX, buf)->count; 124 | } 125 | 126 | PROCESS_MODULE* PROCESS_MODULE::Init(NAMES* Table, ULONG i, PVOID Base, ULONG Size, PSTR Name) 127 | { 128 | ImageBase = Base; 129 | ImageSize = Size; 130 | Index = i; 131 | 132 | NAME_EX* p = CONTAINING_RECORD(Name, NAME_EX, buf); 133 | 134 | ULONG len = FIELD_OFFSET(NAME_EX, buf[strlen(Name) + 1]); 135 | 136 | p->Value = RtlPointerToOffset(Table->TableContext, this); 137 | Name = 0; 138 | 139 | if (p = (NAME_EX*)RtlInsertElementGenericTableAvl(Table, p, len, 0)) 140 | { 141 | p->count++; 142 | Name = p->buf; 143 | 144 | Table->IncModulesCount(); 145 | } 146 | 147 | FullPathName = Name; 148 | 149 | return this + 1; 150 | } 151 | 152 | BOOL NAMES::Create(ULONG size) 153 | { 154 | if (PVOID pv = VirtualAlloc(0, size, MEM_COMMIT, PAGE_READWRITE)) 155 | { 156 | Init(pv); 157 | _cbFree = size; 158 | 159 | return TRUE; 160 | } 161 | 162 | return FALSE; 163 | } 164 | 165 | PCSTR NAMES::GetCommandLine(HANDLE hProcess) 166 | { 167 | if (g_nt_ver.Version >= _WIN32_WINNT_WINBLUE) 168 | { 169 | if (ULONG cb = _cbFree) 170 | { 171 | union { 172 | PSTR psz; 173 | POBJECT_NAME_INFORMATION poni; 174 | }; 175 | 176 | psz = RtlOffsetToPointer(TableContext, _cbUsed); 177 | 178 | if (0 <= NtQueryInformationProcess(hProcess, ProcessCommandLineInformation, poni, cb, 0)) 179 | { 180 | if (cb = WideCharToMultiByte(CP_UTF8, 0, poni->Name.Buffer, poni->Name.Length >> 1, psz, cb - 1, 0, 0)) 181 | { 182 | psz[cb] = 0; 183 | 184 | cb = (cb + __alignof(PVOID)) & ~(__alignof(PVOID) - 1); 185 | 186 | _cbFree -= cb, _cbUsed += cb; 187 | 188 | return psz; 189 | } 190 | } 191 | } 192 | } 193 | 194 | return 0; 195 | } 196 | 197 | PSYSTEM_PROCESS_INFORMATION NAMES::BuildListOfProcesses() 198 | { 199 | union { 200 | PVOID buf; 201 | PSYSTEM_PROCESS_INFORMATION pspi; 202 | }; 203 | 204 | buf = RtlOffsetToPointer(TableContext, _cbUsed); 205 | ULONG cb; 206 | 207 | if (0 <= NtQuerySystemInformation(SystemProcessInformation, buf, _cbFree, &cb)) 208 | { 209 | cb = (cb + __alignof(PVOID) - 1) & ~(__alignof(PVOID) - 1); 210 | 211 | _cbFree -= cb, _cbUsed += cb; 212 | 213 | return pspi; 214 | } 215 | 216 | return 0; 217 | } 218 | 219 | void NAMES::FillModules(PROCESS_MODULE** ppm) 220 | { 221 | PVOID Key = 0; 222 | PVOID BaseAddress = TableContext; 223 | 224 | while(NAME_EX* ptr = (NAME_EX*)RtlEnumerateGenericTableWithoutSplayingAvl(this, &Key)) 225 | { 226 | *ppm++ = (PROCESS_MODULE*)RtlOffsetToPointer(BaseAddress, ptr->offset); 227 | } 228 | } 229 | 230 | PVOID NTAPI NAMES::alloc (_In_ PRTL_AVL_TABLE Table, _In_ CLONG ByteSize) 231 | { 232 | ULONG cbFree = static_cast(Table)->_cbFree; 233 | 234 | if ((ULONG)(ByteSize = (ByteSize + __alignof(PVOID) - 1) & ~(__alignof(PVOID) - 1)) < cbFree) 235 | { 236 | PVOID pv = (PBYTE)Table->TableContext + static_cast(Table)->_cbUsed; 237 | 238 | static_cast(Table)->_cbFree -= ByteSize; 239 | static_cast(Table)->_cbUsed += ByteSize; 240 | 241 | return pv; 242 | } 243 | 244 | return 0; 245 | } 246 | 247 | RTL_GENERIC_COMPARE_RESULTS NTAPI NAMES::compare (_In_ PRTL_AVL_TABLE , _In_ PVOID FirstStruct, _In_ PVOID SecondStruct) 248 | { 249 | int i = strcmp(reinterpret_cast(FirstStruct)->buf, reinterpret_cast(SecondStruct)->buf); 250 | if (0 > i) return GenericLessThan; 251 | if (0 < i) return GenericGreaterThan; 252 | return GenericEqual; 253 | } 254 | 255 | PVOID NAMES::AllocPM(_In_ PRTL_PROCESS_MODULES mods, _In_opt_ PRTL_PROCESS_MODULES32 mods32, _Out_ PULONG pNumberOfModules) 256 | { 257 | ULONG NumberOfModules = mods->NumberOfModules; 258 | 259 | if (mods32) 260 | { 261 | NumberOfModules += mods32->NumberOfModules; 262 | } 263 | 264 | if (PROCESS_MODULE* ppm = (PROCESS_MODULE*)alloc(this, NumberOfModules * sizeof(PROCESS_MODULE))) 265 | { 266 | PVOID buf = ppm; 267 | 268 | *pNumberOfModules = NumberOfModules; 269 | 270 | union { 271 | PRTL_PROCESS_MODULE_INFORMATION Modules; 272 | PRTL_PROCESS_MODULE_INFORMATION32 Modules32; 273 | }; 274 | 275 | ULONG i = 0; 276 | if (NumberOfModules = mods->NumberOfModules) 277 | { 278 | Modules = mods->Modules; 279 | 280 | do 281 | { 282 | ppm = ppm->Init(this, i++, Modules->ImageBase, Modules->ImageSize, Modules->FullPathName); 283 | 284 | } while (Modules++, --NumberOfModules); 285 | } 286 | 287 | if (mods32) 288 | { 289 | if (NumberOfModules = mods32->NumberOfModules) 290 | { 291 | Modules32 = mods32->Modules; 292 | 293 | do 294 | { 295 | ppm = ppm->Init(this, i++, (PVOID)(ULONG_PTR)Modules32->ImageBase, Modules32->ImageSize, Modules32->FullPathName); 296 | 297 | } while (Modules32++, --NumberOfModules); 298 | } 299 | } 300 | 301 | return buf; 302 | } 303 | 304 | return 0; 305 | } 306 | 307 | extern OBJECT_ATTRIBUTES zoa; 308 | 309 | ULONG Process( PRTL_PROCESS_MODULES mods, ULONG Size) 310 | { 311 | if (ULONG NumberOfModules = mods->NumberOfModules) 312 | { 313 | if (Size == __builtin_offsetof(RTL_PROCESS_MODULES, Modules) + NumberOfModules * sizeof(RTL_PROCESS_MODULE_INFORMATION)) 314 | { 315 | PRTL_PROCESS_MODULE_INFORMATION Modules = mods->Modules; 316 | do 317 | { 318 | _strlwr(Modules->FullPathName); 319 | } while (Modules++, --NumberOfModules); 320 | 321 | return Size; 322 | } 323 | else 324 | { 325 | mods->NumberOfModules = 0; 326 | } 327 | } 328 | 329 | return sizeof(PVOID); 330 | } 331 | 332 | ULONG Process( PRTL_PROCESS_MODULES32 mods, ULONG Size) 333 | { 334 | if (ULONG NumberOfModules = mods->NumberOfModules) 335 | { 336 | if (Size == __builtin_offsetof(RTL_PROCESS_MODULES32, Modules) + NumberOfModules * sizeof(RTL_PROCESS_MODULE_INFORMATION32)) 337 | { 338 | CHAR SysDir[64]; 339 | ULONG cch = GetSystemDirectoryA(SysDir, _countof(SysDir)); 340 | static const CHAR system32[] = "\\system32\\"; 341 | static const CHAR wow64[] = "wow64"; 342 | _strlwr(SysDir); 343 | 344 | PRTL_PROCESS_MODULE_INFORMATION32 Modules = mods->Modules; 345 | do 346 | { 347 | PSTR FullPathName = _strlwr(Modules->FullPathName); 348 | if (_countof(system32) < cch) 349 | { 350 | if (!memcmp(FullPathName, SysDir, cch) && 351 | !memcmp(FullPathName += cch - _countof(system32) + 2, system32, _countof(system32) - 1)) 352 | { 353 | memcpy(FullPathName + _countof("\\sys") - 1, wow64, _countof(wow64) - 1); 354 | } 355 | } 356 | } while (Modules++, --NumberOfModules); 357 | 358 | return Size; 359 | } 360 | else 361 | { 362 | mods->NumberOfModules = 0; 363 | } 364 | } 365 | 366 | return sizeof(PVOID); 367 | } 368 | 369 | NTSTATUS StartQuery( 370 | _In_ HANDLE hProcess, 371 | _In_ PVOID RemoteBaseAddress, 372 | _In_ ULONG Size, 373 | _In_ BOOLEAN ExportSuppression, 374 | #ifdef _WIN64 375 | _In_ BOOL wow, 376 | #endif 377 | _Out_ THREAD_INFO* pta 378 | ) 379 | { 380 | PVOID pvLdrQueryProcessModuleInformation; 381 | PVOID pvRtlExitUserThread; 382 | NTSTATUS (NTAPI *QueueApcThread)(HANDLE hThread, PKNORMAL_ROUTINE , PVOID , PVOID , PVOID ); 383 | 384 | #ifdef _WIN64 385 | if (wow) 386 | { 387 | pvLdrQueryProcessModuleInformation = ntdll.funcs[0].pv; 388 | pvRtlExitUserThread = ntdll.funcs[1].pv; 389 | QueueApcThread = RtlQueueApcWow64Thread; 390 | } 391 | else 392 | #endif 393 | { 394 | pvLdrQueryProcessModuleInformation = LdrQueryProcessModuleInformation; 395 | pvRtlExitUserThread = RtlExitUserThread; 396 | QueueApcThread = ZwQueueApcThread; 397 | } 398 | 399 | NTSTATUS status; 400 | 401 | if (ExportSuppression) 402 | { 403 | if (0 > (status = SetExportValid(hProcess, pvLdrQueryProcessModuleInformation, pvRtlExitUserThread))) 404 | { 405 | return status; 406 | } 407 | } 408 | 409 | HANDLE hThread; 410 | if (0 <= (status = RtlCreateUserThread(hProcess, 0, TRUE, 0, 0, 0, pvRtlExitUserThread, 0, &hThread, 0))) 411 | { 412 | if (0 <= (status = QueueApcThread(hThread, 413 | (PKNORMAL_ROUTINE)pvLdrQueryProcessModuleInformation, 414 | RemoteBaseAddress, 415 | (PVOID)(ULONG_PTR)Size, 416 | (PBYTE)RemoteBaseAddress + Size))) 417 | { 418 | NtSetInformationThread(hThread, ThreadHideFromDebugger, 0, 0); 419 | 420 | if (0 <= (status = ZwResumeThread(hThread, 0))) 421 | { 422 | pta->hThread = hThread; 423 | #ifdef _WIN64 424 | pta->IsWow64Thread = wow; 425 | #endif 426 | pta->RemoteViewBase = RemoteBaseAddress; 427 | 428 | return STATUS_SUCCESS; 429 | } 430 | } 431 | 432 | ZwTerminateThread(hThread, 0); 433 | NtClose(hThread); 434 | } 435 | 436 | return status; 437 | } 438 | 439 | void NAMES::QueryLoop( 440 | _In_ PSYSTEM_PROCESS_INFORMATION pspi, 441 | _In_ HANDLE hSection, 442 | _In_ PVOID BaseAddress 443 | ) 444 | { 445 | THREAD_INFO ta[MaxThreads] {}, *pta; 446 | HANDLE hThreads[MaxThreads]; 447 | ULONG Indexes[MaxThreads]; // hThreads -> ta 448 | CLIENT_ID cid = { }; 449 | 450 | LONG Mask = ~0;/* 1 - THREAD_INFO is free */ 451 | ULONG Index; 452 | 453 | ULONG NextEntryOffset = 0; 454 | 455 | #ifdef _WIN64 456 | BOOL bWowInit = (ntdll.funcs[0].pv && ntdll.funcs[1].pv); 457 | #endif 458 | 459 | struct QueryBuf 460 | { 461 | ULONG NumberOfModules; 462 | UCHAR buf[secsize - 2 * sizeof(ULONG)]; 463 | ULONG ReturnedSize; 464 | }; 465 | 466 | union { 467 | void* LocalBaseAddress; 468 | ULONG_PTR up; 469 | QueryBuf* pQb; 470 | RTL_PROCESS_MODULES* mods; 471 | RTL_PROCESS_MODULES32* mods32; 472 | }; 473 | 474 | ULONG ReturnedSize; 475 | 476 | do 477 | { 478 | if (_BitScanForward(&Index, Mask)) 479 | { 480 | (ULONG_PTR&)pspi += NextEntryOffset; 481 | 482 | if (!(cid.UniqueProcess = pspi->UniqueProcessId)) 483 | { 484 | continue; 485 | } 486 | 487 | LARGE_INTEGER SectionOffset = { Index << secshift }; 488 | LocalBaseAddress = RtlOffsetToPointer(BaseAddress, SectionOffset.LowPart); 489 | 490 | NTSTATUS status; 491 | HANDLE hProcess; 492 | 493 | if (pspi->InheritedFromUniqueProcessId) 494 | { 495 | if (0 <= (status = MyOpenProcess(&hProcess, 496 | PROCESS_VM_OPERATION|PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_SET_INFORMATION, &zoa, &cid))) 497 | { 498 | set_cmdline(pspi, GetCommandLine(hProcess)); 499 | 500 | PROCESS_EXTENDED_BASIC_INFORMATION pebi = {sizeof(pebi)}; 501 | if (0 <= (status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), 0))) 502 | { 503 | set_Flags(pspi, pebi.Flags); 504 | 505 | if (pebi.IsProcessDeleting) 506 | { 507 | status = STATUS_PROCESS_IS_TERMINATING; 508 | } 509 | else if (pebi.IsFrozen && pebi.IsStronglyNamed) 510 | { 511 | status = STATUS_INVALID_DEVICE_STATE; 512 | } 513 | else 514 | { 515 | BOOLEAN ExportSuppression = IsExportSuppressionEnabled(hProcess); 516 | 517 | pta = ta + Index; 518 | pta->pspi = pspi; 519 | 520 | pta->hProcess = hProcess; 521 | #ifdef _WIN64 522 | pta->IsWow64Process = bWowInit && pebi.IsWow64Process; 523 | #endif 524 | pta->ExportSuppressed = ExportSuppression; 525 | 526 | pQb->NumberOfModules = 0; 527 | pQb->ReturnedSize = 0; 528 | 529 | PVOID RemoteBaseAddress = 0; 530 | SIZE_T ViewSize = secsize; 531 | 532 | if (0 <= (status = ZwMapViewOfSection(hSection, hProcess, &RemoteBaseAddress, 0, 533 | secsize, &SectionOffset, &ViewSize, ViewUnmap, 0, PAGE_READWRITE))) 534 | { 535 | if (0 <= (status = StartQuery(hProcess, RemoteBaseAddress, 536 | secsize - sizeof(ULONG), 537 | ExportSuppression, 538 | #ifdef _WIN64 539 | FALSE, 540 | #endif 541 | pta))) 542 | { 543 | _bittestandreset(&Mask, Index); 544 | continue; 545 | } 546 | 547 | ZwUnmapViewOfSection(hProcess, RemoteBaseAddress); 548 | } 549 | 550 | pta->hProcess = 0, pta->pspi = 0; 551 | } 552 | } 553 | 554 | NtClose(hProcess); 555 | } 556 | else if (status == STATUS_ACCESS_DENIED) 557 | { 558 | if (0 <= NtOpenProcess(&hProcess, PROCESS_QUERY_LIMITED_INFORMATION, &zoa, &cid)) 559 | { 560 | set_cmdline(pspi, GetCommandLine(hProcess)); 561 | NtClose(hProcess); 562 | } 563 | } 564 | } 565 | else 566 | { 567 | if (0 <= (status = NtQuerySystemInformation(SystemModuleInformation, LocalBaseAddress, secsize, &ReturnedSize))) 568 | { 569 | if (ReturnedSize = Process(mods, ReturnedSize)) 570 | { 571 | if (LocalBaseAddress = AllocPM(mods, 0, &ReturnedSize)) 572 | { 573 | set_modules(pspi, up, ReturnedSize); 574 | } 575 | } 576 | } 577 | } 578 | 579 | set_status(pspi, status); 580 | } 581 | else 582 | { 583 | do 584 | { 585 | __0: 586 | LARGE_INTEGER Timeout = { (ULONG)-10000000, -1 }; 587 | Index = ZwWaitForMultipleObjects(FormatWaitArray(ta, _countof(ta), hThreads, Indexes), hThreads, WaitAny, TRUE, &Timeout); 588 | 589 | if (Index > MaxThreads) 590 | { 591 | goto __1; 592 | } 593 | 594 | pta = &ta[Index = Indexes[Index]]; 595 | PVOID buf = LocalBaseAddress = RtlOffsetToPointer(BaseAddress, Index << secshift); 596 | 597 | NtClose(pta->hThread); 598 | 599 | ReturnedSize = pQb->ReturnedSize; 600 | 601 | up += (ULONG_PTR)pta->RemoteViewBase & 0xFFFF; 602 | ReturnedSize = pta->IsWow64Thread ? Process(mods32, ReturnedSize) : Process(mods, ReturnedSize); 603 | pta->hThread = 0; 604 | 605 | #ifdef _WIN64 606 | if (pta->IsWow64Process) 607 | { 608 | pta->IsWow64Process = 0; 609 | 610 | if (ReturnedSize <= 0x10000 - sizeof(ULONG)) 611 | { 612 | if (0 <= StartQuery(pta->hProcess, (PBYTE&)pta->RemoteViewBase += ReturnedSize, 613 | secsize - ReturnedSize - sizeof(ULONG), pta->ExportSuppressed, TRUE, pta)) 614 | { 615 | goto __0; 616 | } 617 | } 618 | } 619 | #endif 620 | 621 | pta->Cleanup(); 622 | _bittestandset(&Mask, Index); 623 | 624 | if (ReturnedSize) 625 | { 626 | set_status(pta->pspi, STATUS_SUCCESS); 627 | 628 | if (buf == LocalBaseAddress) 629 | { 630 | LocalBaseAddress = AllocPM(mods, 0, &ReturnedSize); 631 | } 632 | else 633 | { 634 | LocalBaseAddress = AllocPM((PRTL_PROCESS_MODULES)buf, mods32, &ReturnedSize); 635 | } 636 | 637 | if (LocalBaseAddress) 638 | { 639 | set_modules(pta->pspi, up, ReturnedSize); 640 | } 641 | } 642 | 643 | } while (!_BitScanForward(&Index, Mask)); 644 | } 645 | 646 | } while (NextEntryOffset = pspi->NextEntryOffset); 647 | 648 | while (Mask != ~0) 649 | { 650 | goto __0; 651 | } 652 | 653 | __1: 654 | 655 | Index = MaxThreads; 656 | pta = ta; 657 | do 658 | { 659 | if (HANDLE hThread = pta->hThread) 660 | { 661 | ZwTerminateThread(hThread, 0); 662 | NtClose(hThread); 663 | set_status(pta->pspi, STATUS_UNSUCCESSFUL); 664 | pta->Cleanup(); 665 | } 666 | 667 | } while (pta++, --Index); 668 | } 669 | 670 | _NT_END -------------------------------------------------------------------------------- /PP/qpm.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class NAMES; 4 | 5 | enum { secshift = 17, secsize = (1 << secshift), MaxThreads = 32 }; 6 | 7 | struct PROCESS_MODULE 8 | { 9 | PVOID ImageBase; 10 | PCSTR FullPathName; 11 | ULONG ImageSize; 12 | ULONG Index; 13 | 14 | PROCESS_MODULE* Init(NAMES* Table, ULONG i, PVOID Base, ULONG Size, PSTR Name); 15 | }; 16 | 17 | // SpareLi1 18 | inline void set_Flags(PSYSTEM_PROCESS_INFORMATION pspi, ULONG Flags) 19 | { 20 | pspi->SpareLi1.LowPart = Flags; 21 | } 22 | 23 | inline ULONG get_Flags(PSYSTEM_PROCESS_INFORMATION pspi) 24 | { 25 | return pspi->SpareLi1.LowPart; 26 | } 27 | 28 | inline void set_status(PSYSTEM_PROCESS_INFORMATION pspi, NTSTATUS status) 29 | { 30 | pspi->SpareLi1.HighPart = status; 31 | } 32 | 33 | inline NTSTATUS get_status(PSYSTEM_PROCESS_INFORMATION pspi) 34 | { 35 | return pspi->SpareLi1.HighPart; 36 | } 37 | 38 | // SpareLi2 39 | inline PCSTR get_cmdline(PSYSTEM_PROCESS_INFORMATION pspi) 40 | { 41 | return (PCSTR)(ULONG_PTR)pspi->SpareLi2.QuadPart; 42 | } 43 | 44 | inline void set_cmdline(PSYSTEM_PROCESS_INFORMATION pspi, PCSTR CmdLine) 45 | { 46 | pspi->SpareLi2.QuadPart = (LONGLONG)(ULONG_PTR)CmdLine; 47 | } 48 | 49 | // PageDirectoryBase, BasePriority 50 | inline PROCESS_MODULE* get_modules(PSYSTEM_PROCESS_INFORMATION pspi, PULONG count) 51 | { 52 | *count = pspi->BasePriority; 53 | return (PROCESS_MODULE*)pspi->PageDirectoryBase; 54 | } 55 | 56 | inline void set_modules(PSYSTEM_PROCESS_INFORMATION pspi, ULONG_PTR modules, ULONG count) 57 | { 58 | pspi->BasePriority = count; 59 | pspi->PageDirectoryBase = modules; 60 | } 61 | 62 | enum { 63 | WM_PSI_READY = WM_USER + 0x100 64 | }; 65 | 66 | ULONG GetLoadCount(PROCESS_MODULE* pm); 67 | 68 | class NAMES : public RTL_AVL_TABLE 69 | { 70 | HWND _hwnd; 71 | ULONG _cbFree = 0, _cbUsed = 0; 72 | ULONG _nModules = 0; 73 | LONG _dwRefCount = 1; 74 | 75 | void Init(PVOID pv) 76 | { 77 | RtlInitializeGenericTableAvl(this, compare, alloc, free, pv); 78 | } 79 | 80 | public: 81 | 82 | NAMES(HWND hwnd) : _hwnd(hwnd) 83 | { 84 | TableContext = 0; 85 | } 86 | 87 | void AddRef() 88 | { 89 | InterlockedIncrementNoFence(&_dwRefCount); 90 | } 91 | 92 | void Release() 93 | { 94 | if (!InterlockedDecrement(&_dwRefCount)) 95 | { 96 | delete this; 97 | } 98 | } 99 | 100 | void Finish(ULONG n, PSYSTEM_PROCESS_INFORMATION pspi) 101 | { 102 | PostMessageW(_hwnd, WM_PSI_READY, n, (LPARAM)pspi); 103 | } 104 | 105 | BOOL Create(ULONG size); 106 | 107 | void Reset() 108 | { 109 | Init(TableContext); 110 | _cbFree += _cbUsed, _cbUsed = 0, _nModules = 0; 111 | } 112 | 113 | PCSTR GetCommandLine(HANDLE hProcess); 114 | 115 | PSYSTEM_PROCESS_INFORMATION BuildListOfProcesses(); 116 | 117 | PVOID AllocPM(_In_ PRTL_PROCESS_MODULES mods, _In_opt_ PRTL_PROCESS_MODULES32 mods32, _Out_ PULONG pNumberOfModules); 118 | 119 | void QueryLoop(_In_ PSYSTEM_PROCESS_INFORMATION pspi, _In_ HANDLE hSection, _In_ PVOID BaseAddress); 120 | 121 | void IncModulesCount() 122 | { 123 | _nModules++; 124 | } 125 | 126 | ULONG GetMemUsage() 127 | { 128 | return _cbUsed; 129 | } 130 | 131 | ULONG GetModulesCount() 132 | { 133 | return _nModules; 134 | } 135 | 136 | PVOID malloca(_In_ ULONG ByteSize) 137 | { 138 | return ByteSize > _cbFree ? new CHAR[ByteSize] : RtlOffsetToPointer(TableContext, _cbUsed); 139 | } 140 | 141 | void freea(_In_ PVOID pv) 142 | { 143 | if (pv != RtlOffsetToPointer(TableContext, _cbUsed)) 144 | { 145 | delete [] pv; 146 | } 147 | } 148 | 149 | void FillModules(PROCESS_MODULE** ppm); 150 | 151 | static PVOID NTAPI alloc (_In_ PRTL_AVL_TABLE Table, _In_ CLONG ByteSize); 152 | 153 | static VOID NTAPI free (_In_ PRTL_AVL_TABLE ,_In_ PVOID ) 154 | { 155 | __debugbreak(); 156 | } 157 | 158 | static RTL_GENERIC_COMPARE_RESULTS NTAPI compare (_In_ PRTL_AVL_TABLE , _In_ PVOID FirstStruct, _In_ PVOID SecondStruct); 159 | 160 | ~NAMES() 161 | { 162 | if (PVOID buf = TableContext) 163 | { 164 | VirtualFree(buf, 0, MEM_RELEASE); 165 | } 166 | } 167 | }; 168 | 169 | #ifdef _WIN64 170 | void InitWow64(); 171 | #endif 172 | -------------------------------------------------------------------------------- /PP/tmp.cpp: -------------------------------------------------------------------------------- 1 | #include "StdAfx.h" 2 | 3 | _NT_BEGIN 4 | 5 | #include 6 | #include "buf.h" 7 | 8 | extern OBJECT_ATTRIBUTES zoa; 9 | extern volatile UCHAR guz; 10 | 11 | BOOL Impersonate(PCLIENT_ID ClientId) 12 | { 13 | BOOL f = FALSE; 14 | 15 | HANDLE hThread; 16 | 17 | if (0 <= ZwOpenThread(&hThread, THREAD_DIRECT_IMPERSONATION, &zoa, ClientId)) 18 | { 19 | static SECURITY_QUALITY_OF_SERVICE sqos = { 20 | sizeof sqos, SecurityImpersonation, SECURITY_DYNAMIC_TRACKING, FALSE 21 | }; 22 | 23 | if (0 <= ZwImpersonateThread(NtCurrentThread(), hThread, &sqos)) 24 | { 25 | f = TRUE; 26 | } 27 | NtClose(hThread); 28 | } 29 | 30 | return f; 31 | } 32 | 33 | PCSTR GetLogonTypeName(ULONG LogonType, PSTR buf) 34 | { 35 | #define CASE_LT(x) case x: return #x; 36 | 37 | switch(LogonType) 38 | { 39 | CASE_LT(UndefinedLogonType) 40 | CASE_LT(Interactive) 41 | CASE_LT(Network) 42 | CASE_LT(Batch) 43 | CASE_LT(Service) 44 | CASE_LT(Proxy) 45 | CASE_LT(Unlock) 46 | CASE_LT(NetworkCleartext) 47 | CASE_LT(NewCredentials) 48 | CASE_LT(RemoteInteractive) 49 | CASE_LT(CachedInteractive) 50 | CASE_LT(CachedRemoteInteractive) 51 | CASE_LT(CachedUnlock) 52 | } 53 | 54 | sprintf(buf, "%x", LogonType); 55 | return buf; 56 | } 57 | 58 | BOOL Impersonate(PVOID buf) 59 | { 60 | union { 61 | PBYTE pb; 62 | PVOID pv; 63 | PSYSTEM_PROCESS_INFORMATION sp; 64 | }; 65 | pv = buf; 66 | ULONG NextEntryOffset = 0; 67 | 68 | do 69 | { 70 | pb += NextEntryOffset; 71 | 72 | if (sp->NumberOfThreads ) 73 | { 74 | if (Impersonate(&sp->TH->ClientId)) 75 | { 76 | return TRUE; 77 | } 78 | } 79 | 80 | } while( NextEntryOffset = sp->NextEntryOffset); 81 | 82 | return FALSE; 83 | } 84 | 85 | void Update(WLog& log, PVOID Ptr) 86 | { 87 | union { 88 | PBYTE pb; 89 | PVOID pv; 90 | PSYSTEM_PROCESS_INFORMATION pspi; 91 | }; 92 | 93 | pv = Ptr; 94 | 95 | ULONG NextEntryOffset = 0, rcb; 96 | do 97 | { 98 | pb += NextEntryOffset; 99 | 100 | CLIENT_ID cid = { pspi->UniqueProcessId }; 101 | 102 | if (cid.UniqueProcess) 103 | { 104 | HANDLE hProcess, hToken; 105 | 106 | NTSTATUS status; 107 | if (0 > (status = NtOpenProcess(&hProcess, PROCESS_QUERY_LIMITED_INFORMATION, &zoa, &cid))) 108 | { 109 | log(L"OpenProcess(%p,%wZ)=%x\r\n", cid.UniqueProcess, &pspi->ImageName, status); 110 | } 111 | else 112 | { 113 | if (0 > (status = NtOpenProcessToken(hProcess, TOKEN_QUERY, &hToken))) 114 | { 115 | log(L"OpenProcessToken(%p,%wZ)=%x\r\n", cid.UniqueProcess, &pspi->ImageName, status); 116 | } 117 | else 118 | { 119 | TOKEN_STATISTICS ts; 120 | if (0 > (status = NtQueryInformationToken(hToken, TokenStatistics, &ts, sizeof(ts), &rcb))) 121 | { 122 | log(L"QueryInformationToken(%p,%wZ)=%x\r\n", cid.UniqueProcess, &pspi->ImageName, status); 123 | } 124 | else 125 | { 126 | pspi->ReadTransferCount.LowPart = ts.AuthenticationId.LowPart; 127 | pspi->ReadTransferCount.HighPart = ts.AuthenticationId.HighPart; 128 | } 129 | NtClose(hToken); 130 | } 131 | NtClose(hProcess); 132 | } 133 | } 134 | else 135 | { 136 | pspi->ReadTransferCount.QuadPart = 0; 137 | } 138 | 139 | } while (NextEntryOffset = pspi->NextEntryOffset); 140 | } 141 | 142 | void AddProToLS(WLog& log, PLUID LogonSessionList, PVOID Ptr) 143 | { 144 | union { 145 | PBYTE pb; 146 | PVOID pv; 147 | PSYSTEM_PROCESS_INFORMATION pspi; 148 | }; 149 | 150 | pv = Ptr; 151 | 152 | TIME_FIELDS tf; 153 | ULONG NextEntryOffset = 0; 154 | 155 | LARGE_INTEGER li; 156 | GetSystemTimeAsFileTime((PFILETIME)&li); 157 | 158 | do 159 | { 160 | pb += NextEntryOffset; 161 | 162 | if (LogonSessionList->LowPart == pspi->ReadTransferCount.LowPart && 163 | LogonSessionList->HighPart == pspi->ReadTransferCount.HighPart) 164 | { 165 | RtlTimeToTimeFields(&pspi->CreateTime, &tf); 166 | LARGE_INTEGER t; 167 | t.QuadPart = (li.QuadPart - pspi->CreateTime.QuadPart)/10000000; 168 | 169 | log(L"\t%u %05x(%05x) %d-%02d:%02d:%02d[%u-%02u-%02u %02u:%02u:%02u] %wZ\r\n", 170 | pspi->SessionId, 171 | (ULONG)(ULONG_PTR)pspi->UniqueProcessId, 172 | (ULONG)(ULONG_PTR)pspi->InheritedFromUniqueProcessId, 173 | (DWORD)(t.QuadPart / (3600*24)), 174 | (DWORD)((t.QuadPart / 3600) % 24), 175 | (DWORD)((t.QuadPart / 60) % 60), 176 | (DWORD)(t.QuadPart % 60), 177 | tf.Year, tf.Month, tf.Day, tf.Hour, tf.Minute, tf.Second, &pspi->ImageName); 178 | } 179 | 180 | } while (NextEntryOffset = pspi->NextEntryOffset); 181 | } 182 | 183 | PCSTR GetSidNameUseName(SID_NAME_USE snu) 184 | { 185 | switch (snu) 186 | { 187 | case SidTypeUser: return "User"; 188 | case SidTypeGroup: return "Group"; 189 | case SidTypeDomain: return "Domain"; 190 | case SidTypeAlias: return "Alias"; 191 | case SidTypeWellKnownGroup: return "WellKnownGroup"; 192 | case SidTypeDeletedAccount: return "DeletedAccount"; 193 | case SidTypeInvalid: return "Invalid"; 194 | case SidTypeUnknown: return "Unknown"; 195 | case SidTypeComputer: return "Computer"; 196 | case SidTypeLabel: return "Label"; 197 | case SidTypeLogonSession: return "LogonSession"; 198 | } 199 | return "?"; 200 | } 201 | 202 | class LSA_LOOKUP 203 | { 204 | LSA_HANDLE PolicyHandle; 205 | public: 206 | LSA_LOOKUP() 207 | { 208 | LSA_OBJECT_ATTRIBUTES ObjectAttributes = { sizeof(ObjectAttributes) }; 209 | 210 | if (0 > LsaOpenPolicy(0, &ObjectAttributes, POLICY_LOOKUP_NAMES, &PolicyHandle)) 211 | { 212 | PolicyHandle = 0; 213 | } 214 | } 215 | 216 | ~LSA_LOOKUP() 217 | { 218 | if (PolicyHandle) 219 | { 220 | LsaClose(PolicyHandle); 221 | } 222 | } 223 | 224 | LSA_LOOKUP_HANDLE operator()() 225 | { 226 | return PolicyHandle; 227 | } 228 | }; 229 | 230 | void DumpSessions(WLog& log, PVOID pspi) 231 | { 232 | ULONG LogonSessionCount; 233 | PLUID LogonSessionList; 234 | NTSTATUS status; 235 | if (0 > (status = LsaEnumerateLogonSessions(&LogonSessionCount, &LogonSessionList))) 236 | { 237 | log(L"LsaEnumerateLogonSessions=%x\r\n", status); 238 | } 239 | else 240 | { 241 | PVOID Buffer = LogonSessionList; 242 | if (LogonSessionCount) 243 | { 244 | LSA_LOOKUP ll; 245 | 246 | do 247 | { 248 | SECURITY_LOGON_SESSION_DATA *LogonSessionData; 249 | if (0 > (status = LsaGetLogonSessionData(LogonSessionList, &LogonSessionData))) 250 | { 251 | log(L"LsaGetLogonSessionData(%08x-%08x)=%x\r\n", LogonSessionList->HighPart, LogonSessionList->LowPart, status); 252 | } 253 | else 254 | { 255 | TIME_FIELDS tf; 256 | char cc[16]; 257 | 258 | RtlTimeToTimeFields(&LogonSessionData->LogonTime, &tf); 259 | 260 | PSID Sid = LogonSessionData->Sid; 261 | 262 | log(L"=================================================\r\n" 263 | L"LogonId:\t%08x-%08x\r\n" 264 | L"Session:\t%u\r\n" 265 | L"LogonType:\t%S\r\n" 266 | L"LogonTime\t%u-%02u-%02u %02u:%02u:%02u\r\n" 267 | L"Username:\t%wZ\r\n" 268 | L"LogonDomain:\t%wZ\r\n" 269 | L"AuthenticationPackage:\t%wZ\r\n" 270 | L"LogonServer:\t%wZ\r\n" 271 | L"DnsDomainName:\t%wZ\r\n" 272 | L"Sid:", 273 | LogonSessionData->LogonId.HighPart, LogonSessionData->LogonId.LowPart, 274 | LogonSessionData->Session, 275 | GetLogonTypeName(LogonSessionData->LogonType, cc), 276 | tf.Year, tf.Month, tf.Day, tf.Hour, tf.Minute, tf.Second, 277 | &LogonSessionData->UserName, 278 | &LogonSessionData->LogonDomain, 279 | &LogonSessionData->AuthenticationPackage, 280 | &LogonSessionData->LogonServer, 281 | &LogonSessionData->DnsDomainName 282 | ); 283 | 284 | if (Sid) 285 | { 286 | UNICODE_STRING us; 287 | 288 | if (0 > RtlConvertSidToUnicodeString(&us, Sid, TRUE)) 289 | { 290 | us.Length = 0, us.Buffer = 0; 291 | } 292 | 293 | PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains; 294 | PLSA_TRANSLATED_NAME Names; 295 | ULONG Entries = 0; 296 | PLSA_TRUST_INFORMATION Domains = 0; 297 | 298 | const static UNICODE_STRING emptyUS{}; 299 | PCUNICODE_STRING Name = &emptyUS; 300 | PCUNICODE_STRING Domain = &emptyUS; 301 | SID_NAME_USE Use = SidTypeUnknown; 302 | 303 | if (0 <= (status = LsaLookupSids(ll(), 1, &Sid, &ReferencedDomains, &Names))) 304 | { 305 | Entries = ReferencedDomains->Entries; 306 | Domains = ReferencedDomains->Domains; 307 | Name = &Names->Name; 308 | Use = Names->Use; 309 | 310 | ULONG DomainIndex = Names->DomainIndex; 311 | 312 | if (DomainIndex < Entries) 313 | { 314 | Domain = &Domains[DomainIndex].Name; 315 | } 316 | } 317 | 318 | log(L"\t[%wZ] '%wZ\\%wZ' [%S]\r\n", &us, Domain, Name, GetSidNameUseName(Use)); 319 | 320 | if (0 <= status) 321 | { 322 | LsaFreeMemory(Names); 323 | LsaFreeMemory(ReferencedDomains); 324 | } 325 | 326 | RtlFreeUnicodeString(&us); 327 | } 328 | 329 | log << '\r' << '\n'; 330 | 331 | LsaFreeReturnBuffer(LogonSessionData); 332 | 333 | AddProToLS(log, LogonSessionList, pspi); 334 | } 335 | 336 | } while (LogonSessionList++, --LogonSessionCount); 337 | } 338 | LsaFreeReturnBuffer(Buffer); 339 | } 340 | } 341 | 342 | void els(WLog& log) 343 | { 344 | NTSTATUS status; 345 | DWORD cb = 0x40000; 346 | do 347 | { 348 | status = STATUS_INSUFFICIENT_RESOURCES; 349 | 350 | if (PVOID pv = new BYTE[cb]) 351 | { 352 | if (0 <= (status = NtQuerySystemInformation(SystemProcessInformation, pv, cb, &cb))) 353 | { 354 | if (!Impersonate(pv)) 355 | { 356 | log(L"Impersonate error\r\n"); 357 | } 358 | 359 | Update(log, pv); 360 | DumpSessions(log, pv); 361 | } 362 | delete [] pv; 363 | } 364 | 365 | } while (status == STATUS_INFO_LENGTH_MISMATCH); 366 | 367 | if (0 > status) 368 | { 369 | log(L"QuerySystemInformation(SystemProcessInformation)=%x\r\n", status); 370 | } 371 | } 372 | 373 | void ShowSessions(HWND hwnd) 374 | { 375 | if (PWSTR buf = (PWSTR)LocalAlloc(0, 0x80000)) 376 | { 377 | WLog log(buf, 0x80000); 378 | els(log); 379 | SetThreadToken(0, 0); 380 | log >> hwnd; 381 | } 382 | } 383 | 384 | _NT_END -------------------------------------------------------------------------------- /PP/tmp2.cpp: -------------------------------------------------------------------------------- 1 | #include "StdAfx.h" 2 | #include "../NtVer/nt_ver.h" 3 | _NT_BEGIN 4 | 5 | extern OBJECT_ATTRIBUTES zoa; 6 | extern volatile UCHAR guz; 7 | 8 | #include "buf.h" 9 | 10 | void els(PVOID Buf, WLog& log0, WLog& log) 11 | { 12 | union { 13 | PVOID pv; 14 | PBYTE pb; 15 | PSYSTEM_PROCESS_INFORMATION pspi; 16 | }; 17 | 18 | pv = Buf; 19 | 20 | LARGE_INTEGER li; 21 | GetSystemTimeAsFileTime((PFILETIME)&li); 22 | 23 | BOOL bExistProtectionInfo = g_nt_ver.Version >= _WIN32_WINNT_WIN8; 24 | 25 | PROCESS_EXTENDED_BASIC_INFORMATION pebi = { sizeof(pebi) }; 26 | 27 | ULONG NextEntryOffset = 0, rcb; 28 | 29 | do 30 | { 31 | pb += NextEntryOffset; 32 | 33 | CLIENT_ID cid = { pspi->UniqueProcessId }; 34 | 35 | if (cid.UniqueProcess) 36 | { 37 | TIME_FIELDS tf; 38 | RtlTimeToTimeFields(&pspi->CreateTime, &tf); 39 | LARGE_INTEGER t; 40 | t.QuadPart = (li.QuadPart - pspi->CreateTime.QuadPart)/10000000; 41 | 42 | HANDLE hProcess; 43 | 44 | NTSTATUS s = NtOpenProcess(&hProcess, PROCESS_QUERY_LIMITED_INFORMATION, &zoa, &cid); 45 | 46 | if (0 <= s) 47 | { 48 | if (0 > NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), &rcb)) 49 | { 50 | pebi.Flags = 0; 51 | } 52 | 53 | if (pebi.IsProtectedProcess && bExistProtectionInfo) 54 | { 55 | PS_PROTECTION ps; 56 | 57 | if (0 <= NtQueryInformationProcess(hProcess, ProcessProtectionInformation, &ps, sizeof(ps), &rcb)) 58 | { 59 | char sztype[16], szsigner[16]; 60 | PCSTR type = sztype, signer = szsigner; 61 | 62 | switch (ps.Type) 63 | { 64 | case PsProtectedTypeNone: 65 | type = " None"; 66 | break; 67 | case PsProtectedTypeProtectedLight: 68 | type = " Light"; 69 | break; 70 | case PsProtectedTypeProtected: 71 | type = "Protected"; 72 | break; 73 | default: 74 | sprintf(sztype, "%9u", ps.Type); 75 | } 76 | 77 | switch (ps.Signer) 78 | { 79 | case PsProtectedSignerNone: 80 | signer = "None "; 81 | break; 82 | case PsProtectedSignerAuthenticode: 83 | signer = "Authenticode"; 84 | break; 85 | case PsProtectedSignerCodeGen: 86 | signer = "CodeGen "; 87 | break; 88 | case PsProtectedSignerAntimalware: 89 | signer = "Antimalware "; 90 | break; 91 | case PsProtectedSignerLsa: 92 | signer = "Lsa "; 93 | break; 94 | case PsProtectedSignerWindows: 95 | signer = "Windows "; 96 | break; 97 | case PsProtectedSignerWinTcb: 98 | signer = "WinTcb "; 99 | break; 100 | case PsProtectedSignerWinSystem: 101 | signer = "WinSystem "; 102 | break; 103 | case PsProtectedSignerApp: 104 | signer = "App "; 105 | break; 106 | default: 107 | sprintf(szsigner, "%12u", ps.Signer); 108 | } 109 | 110 | log0(L"%S.%S {%x} %04x(%04x) %d-%02d:%02d:%02d[%d-%02d-%02d %02d:%02d:%02d] %wZ\r\n", 111 | type, signer, pspi->SessionId, 112 | (ULONG)(ULONG_PTR)pspi->UniqueProcessId, 113 | (ULONG)(ULONG_PTR)pspi->InheritedFromUniqueProcessId, 114 | (DWORD)(t.QuadPart / (3600*24)), 115 | (DWORD)((t.QuadPart / 3600) % 24), 116 | (DWORD)((t.QuadPart / 60) % 60), 117 | (DWORD)(t.QuadPart % 60), 118 | tf.Year, tf.Month, tf.Day, tf.Hour, tf.Minute, tf.Second, 119 | &pspi->ImageName); 120 | } 121 | } 122 | 123 | ULONG f; 124 | if (0 <= NtQueryInformationProcess(hProcess, ProcessBreakOnTermination, &f, sizeof(f), &rcb) && f) 125 | { 126 | pebi.SpareBits = 1; 127 | } 128 | 129 | log << '['; 130 | BOOL bInJob; 131 | if (IsProcessInJob(hProcess, 0, &bInJob)) 132 | { 133 | log << (bInJob ? 'J' : '.'); 134 | } 135 | else 136 | { 137 | log << '?'; 138 | } 139 | 140 | log << (pebi.IsProtectedProcess ? 'P' : '.') 141 | << (pebi.IsWow64Process ? 'W' : '.') 142 | << (pebi.IsProcessDeleting ? 'D' : '.') 143 | << (pebi.IsCrossSessionCreate ? 'C' : '.') 144 | << (pebi.IsFrozen ? 'F' : '.') 145 | << (pebi.IsBackground ? 'B' : '.') 146 | << (pebi.IsStronglyNamed ? 'N' : '.') 147 | << (pebi.IsSecureProcess ? 'S' : '.') 148 | << (pebi.IsSubsystemProcess ? 'Y' : '.') 149 | << (pebi.SpareBits ? 'T' : '.'); 150 | 151 | log(L"] {%x} %04x(%04x) %d-%02d:%02d:%02d[%d-%02d-%02d %02d:%02d:%02d] %wZ\r\n", 152 | pspi->SessionId, 153 | (ULONG)(ULONG_PTR)pspi->UniqueProcessId, 154 | (ULONG)(ULONG_PTR)pspi->InheritedFromUniqueProcessId, 155 | (DWORD)(t.QuadPart / (3600*24)), 156 | (DWORD)((t.QuadPart / 3600) % 24), 157 | (DWORD)((t.QuadPart / 60) % 60), 158 | (DWORD)(t.QuadPart % 60), 159 | tf.Year, tf.Month, tf.Day, tf.Hour, tf.Minute, tf.Second, &pspi->ImageName); 160 | 161 | NtClose(hProcess); 162 | } 163 | else 164 | { 165 | log(L"fail: %08x %p %wZ\r\n", s, cid.UniqueProcess, &pspi->ImageName); 166 | } 167 | } 168 | 169 | } while (NextEntryOffset = pspi->NextEntryOffset); 170 | 171 | log0(L"\r\n" 172 | L"[J..........] - Process In Job\r\n" 173 | L"[.P.........] - ProtectedProcess\r\n" 174 | L"[..W........] - Wow64Process\r\n" 175 | L"[...D.......] - ProcessDeleting\r\n" 176 | L"[....C......] - CrossSessionCreate\r\n" 177 | L"[.....F.....] - Frozen\r\n" 178 | L"[......B....] - Background\r\n" 179 | L"[.......N...] - StronglyNamed\r\n" 180 | L"[........S..] - SecureProcess\r\n" 181 | L"[.........Y.] - SubsystemProcess\r\n" 182 | L"[..........T] - BreakOnTermination"); 183 | } 184 | 185 | void els2(WLog& log0, WLog& log) 186 | { 187 | NTSTATUS status; 188 | ULONG cb = 0x20000; 189 | 190 | do 191 | { 192 | status = STATUS_INSUFFICIENT_RESOURCES; 193 | 194 | if (PVOID pv = LocalAlloc(0, cb)) 195 | { 196 | if (0 <= (status = NtQuerySystemInformation(SystemProcessInformation, pv, cb, &cb))) 197 | { 198 | els(pv, log0, log); 199 | } 200 | LocalFree(pv); 201 | } 202 | 203 | } while (status == STATUS_INFO_LENGTH_MISMATCH); 204 | 205 | if (0 > status) 206 | { 207 | log(L"QuerySystemInformation(SystemProcessInformation)=%x\r\n", status); 208 | log[status]; 209 | } 210 | } 211 | 212 | void ShowE2(HWND hWndParent, PCWSTR Caption, PCWSTR psz1, PCWSTR psz2, HFONT hFont ); 213 | 214 | void ShowProtectedProcesses(HWND hwnd, HFONT hFont) 215 | { 216 | enum { cbAll = 0x20000, cbSmall = 0x2000}; 217 | if (PWSTR buf = (PWSTR)LocalAlloc(0, cbAll)) 218 | { 219 | WLog log0(buf, cbSmall), log((PBYTE)buf + cbSmall, cbAll - cbSmall); 220 | els2(log0, log); 221 | ShowE2(hwnd, L"Protected Processes", buf, (PWSTR)((PBYTE)buf + cbSmall), hFont); 222 | LocalFree(buf); 223 | } 224 | } 225 | 226 | _NT_END -------------------------------------------------------------------------------- /WOW/wow.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include "StdAfx.h" 3 | 4 | #ifdef _WIN64 5 | 6 | _NT_BEGIN 7 | 8 | #include "wow.h" 9 | 10 | struct DLL_LIST 11 | { 12 | struct FUNCTION_LIST 13 | { 14 | FUNCTION_LIST* Next; 15 | void** ppv; 16 | PCSTR Name; 17 | ULONG Ordinal; 18 | }; 19 | 20 | DLL_LIST* Next; 21 | PCUNICODE_STRING DllName; 22 | FUNCTION_LIST* First; 23 | 24 | static DLL_LIST* Get(DLL_LIST* cur, PCUNICODE_STRING DllName) 25 | { 26 | if (cur) 27 | { 28 | do 29 | { 30 | if (RtlEqualUnicodeString(DllName, cur->DllName, TRUE)) 31 | { 32 | return cur; 33 | } 34 | 35 | } while (cur = cur->Next); 36 | } 37 | 38 | return 0; 39 | } 40 | }; 41 | 42 | ULONG GetNameOrdinal(PVOID BaseAddress, PULONG AddressOfNames, ULONG NumberOfNames, PCSTR Name) 43 | { 44 | if (NumberOfNames) 45 | { 46 | DWORD a = 0, o; 47 | 48 | do 49 | { 50 | o = (a + NumberOfNames) >> 1; 51 | 52 | int i = strcmp(RtlOffsetToPointer(BaseAddress, AddressOfNames[o]), Name); 53 | 54 | if (!i) 55 | { 56 | return o; 57 | } 58 | 59 | 0 > i ? a = o + 1 : NumberOfNames = o; 60 | 61 | } while (a < NumberOfNames); 62 | } 63 | 64 | return MAXULONG; 65 | } 66 | 67 | ULONG GetFunc(PVOID BaseAddress, PCSTR lpProcName, ULONG Ordinal) 68 | { 69 | ULONG size, exportRVA, rva; 70 | 71 | if (PIMAGE_EXPORT_DIRECTORY pied = (PIMAGE_EXPORT_DIRECTORY) 72 | RtlImageDirectoryEntryToData(BaseAddress, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &size)) 73 | { 74 | exportRVA = RtlPointerToOffset(BaseAddress, pied); 75 | 76 | if (ULONG NumberOfFunctions = pied->NumberOfFunctions) 77 | { 78 | if (Ordinal) 79 | { 80 | Ordinal -= pied->Base; 81 | } 82 | else 83 | { 84 | if (0 > (int)(Ordinal = GetNameOrdinal(BaseAddress, 85 | (PULONG)RtlOffsetToPointer(BaseAddress, pied->AddressOfNames), pied->NumberOfNames, lpProcName))) 86 | { 87 | return 0; 88 | } 89 | 90 | Ordinal = ((PUSHORT)RtlOffsetToPointer(BaseAddress, pied->AddressOfNameOrdinals))[Ordinal]; 91 | } 92 | 93 | if (Ordinal < NumberOfFunctions) 94 | { 95 | rva = ((PULONG)RtlOffsetToPointer(BaseAddress, pied->AddressOfFunctions))[Ordinal]; 96 | 97 | if ((ULONG_PTR)rva - (ULONG_PTR)exportRVA >= size) 98 | { 99 | return rva; 100 | } 101 | } 102 | } 103 | } 104 | 105 | return 0; 106 | } 107 | 108 | NTSTATUS GetTransferAddress(HANDLE hSection, void** TransferAddress) 109 | { 110 | SECTION_IMAGE_INFORMATION sii; 111 | NTSTATUS status = ZwQuerySection(hSection, SectionImageInformation, &sii, sizeof(sii), 0); 112 | if (0 <= status) 113 | { 114 | if (sii.TransferAddress) 115 | { 116 | *TransferAddress = sii.TransferAddress; 117 | 118 | return STATUS_SUCCESS; 119 | } 120 | 121 | return STATUS_SECTION_NOT_IMAGE ; 122 | } 123 | 124 | return status; 125 | } 126 | 127 | void Query(PCUNICODE_STRING DllName, DLL_LIST::FUNCTION_LIST* funcs) 128 | { 129 | WCHAR buf[0x100]; 130 | if (0 > swprintf_s(buf, _countof(buf), L"\\KnownDlls32\\%wZ", DllName)) return ; 131 | 132 | UNICODE_STRING ObjectName; 133 | OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE }; 134 | RtlInitUnicodeString(&ObjectName, buf); 135 | 136 | HANDLE hSection; 137 | 138 | if (0 <= ZwOpenSection(&hSection, SECTION_MAP_EXECUTE|SECTION_QUERY, &oa)) 139 | { 140 | NTSTATUS status; 141 | PVOID TransferAddress; 142 | PVOID BaseAddress = 0; 143 | SIZE_T ViewSize = 0; 144 | 145 | 0 <= (status = GetTransferAddress(hSection, &TransferAddress)) && 146 | 0 <= (status = ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 0, 0, &ViewSize, 147 | ViewUnmap, 0, PAGE_EXECUTE)); 148 | 149 | NtClose(hSection); 150 | 151 | if (0 <= status) 152 | { 153 | if (PIMAGE_NT_HEADERS32 pinth = (PIMAGE_NT_HEADERS32)RtlImageNtHeader(BaseAddress)) 154 | { 155 | do 156 | { 157 | if (ULONG rva = GetFunc(BaseAddress, funcs->Name, funcs->Ordinal)) 158 | { 159 | *funcs->ppv = (PBYTE)TransferAddress - pinth->OptionalHeader.AddressOfEntryPoint + rva; 160 | } 161 | 162 | } while (funcs = funcs->Next); 163 | } 164 | 165 | ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress); 166 | } 167 | } 168 | } 169 | 170 | NTSTATUS NameForAddress(PVOID BaseAddress, PVOID pv, PCSTR* lplpProcName, PULONG pOrdinal) 171 | { 172 | *lplpProcName = 0, *pOrdinal = 0; 173 | 174 | ULONG size; 175 | 176 | if (PIMAGE_EXPORT_DIRECTORY pied = (PIMAGE_EXPORT_DIRECTORY) 177 | RtlImageDirectoryEntryToData(BaseAddress, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &size)) 178 | { 179 | if (ULONG NumberOfFunctions = pied->NumberOfFunctions) 180 | { 181 | PULONG AddressOfFunctions = (PULONG)RtlOffsetToPointer(BaseAddress, pied->AddressOfFunctions); 182 | PULONG AddressOfNames = (PULONG)RtlOffsetToPointer(BaseAddress, pied->AddressOfNames); 183 | PWORD AddressOfNameOrdinals = (PWORD)RtlOffsetToPointer(BaseAddress, pied->AddressOfNameOrdinals); 184 | 185 | if (ULONG NumberOfNames = pied->NumberOfNames) 186 | { 187 | do 188 | { 189 | PCSTR name = RtlOffsetToPointer(BaseAddress, *AddressOfNames++); 190 | 191 | if (RtlOffsetToPointer(BaseAddress, AddressOfFunctions[*AddressOfNameOrdinals++]) == pv) 192 | { 193 | *lplpProcName = name; 194 | return STATUS_SUCCESS; 195 | } 196 | 197 | } while (--NumberOfNames); 198 | } 199 | 200 | ULONG Ordinal = pied->Base; 201 | do 202 | { 203 | if (RtlOffsetToPointer(BaseAddress, *AddressOfFunctions++) == pv) 204 | { 205 | *pOrdinal = Ordinal; 206 | return STATUS_SUCCESS; 207 | } 208 | } while (Ordinal++, --NumberOfFunctions); 209 | } 210 | } 211 | 212 | return STATUS_PROCEDURE_NOT_FOUND; 213 | } 214 | 215 | extern const volatile UCHAR guz; 216 | 217 | void DLL_LIST_0::Process(DLL_LIST_0 *p) 218 | { 219 | PVOID stack = alloca(guz); 220 | 221 | union { 222 | PVOID buf; 223 | DLL_LIST* pDll; 224 | DLL_LIST::FUNCTION_LIST* pFunc; 225 | }; 226 | 227 | buf = stack; 228 | 229 | DLL_LIST* First = 0, *cur; 230 | DLL_LIST_0* q = p; 231 | HMODULE hmod; 232 | 233 | do 234 | { 235 | // DbgPrint("%S\n", p->lpModuleName); 236 | 237 | p->hmod = hmod = LoadLibraryExW(p->lpModuleName, 0, DONT_RESOLVE_DLL_REFERENCES); 238 | 239 | if (hmod) 240 | { 241 | for (FUNCTION* funcs = p->funcs ; PCSTR lpProcName = funcs->lpProcName; funcs++ ) 242 | { 243 | union 244 | { 245 | ULONG Ordinal = 0; 246 | PCSTR psz; 247 | }; 248 | 249 | ANSI_STRING ProcedureName, *pProcedureName = 0; 250 | 251 | if (IS_INTRESOURCE(lpProcName)) 252 | { 253 | psz = lpProcName; 254 | } 255 | else 256 | { 257 | RtlInitAnsiString(pProcedureName = &ProcedureName, lpProcName); 258 | } 259 | 260 | // DbgPrint("\t#%u %Z", Ordinal, pProcedureName); 261 | 262 | PVOID pv, DllBase; 263 | _LDR_DATA_TABLE_ENTRY* ldte; 264 | 265 | if (0 <= LdrGetProcedureAddress(hmod, pProcedureName, Ordinal, &pv) && 266 | 0 <= LdrFindEntryForAddress(pv, &ldte) && 267 | 0 <= ((DllBase = ldte->DllBase) == hmod ? 0 : NameForAddress(DllBase, pv, &lpProcName, &Ordinal))) 268 | { 269 | // if (DllBase != hmod) DbgPrint(" -> %wZ: #%u %s", &ldte->BaseDllName, Ordinal, lpProcName); 270 | 271 | if (cur = DLL_LIST::Get(First, &ldte->BaseDllName)) 272 | { 273 | } 274 | else 275 | { 276 | if ((cur = --pDll) < stack) 277 | { 278 | stack = alloca(sizeof(DLL_LIST)); 279 | } 280 | pDll->First = 0; 281 | pDll->Next = First, First = pDll; 282 | pDll->DllName = &ldte->BaseDllName; 283 | } 284 | 285 | if (--pFunc < stack) 286 | { 287 | stack = alloca(sizeof(DLL_LIST::FUNCTION_LIST)); 288 | } 289 | 290 | pFunc->Next = cur->First, cur->First = pFunc; 291 | 292 | pFunc->Name = lpProcName; 293 | pFunc->Ordinal = Ordinal; 294 | pFunc->ppv = &funcs->pv; 295 | } 296 | 297 | // DbgPrint("\n"); 298 | } 299 | 300 | } 301 | 302 | } while (p = p->next); 303 | 304 | if (First) 305 | { 306 | do 307 | { 308 | Query(First->DllName, First->First); 309 | 310 | } while (First = First->Next); 311 | } 312 | 313 | do 314 | { 315 | if (hmod = q->hmod) 316 | { 317 | FreeLibrary(hmod); 318 | } 319 | } while (q = q->next); 320 | } 321 | 322 | _NT_END 323 | 324 | #endif -------------------------------------------------------------------------------- /WOW/wow.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct DLL_LIST_0 4 | { 5 | struct FUNCTION 6 | { 7 | PCSTR lpProcName; 8 | PVOID pv; 9 | }; 10 | 11 | DLL_LIST_0 *next; 12 | 13 | union { 14 | PCWSTR lpModuleName; 15 | HMODULE hmod; 16 | }; 17 | 18 | FUNCTION funcs[]; 19 | 20 | static void Process(DLL_LIST_0 *cur); 21 | }; 22 | 23 | #define BEGIN_DLL_FUNCS(name, prevname) DLL_LIST_0 name { prevname, _CRT_WIDE(_CRT_STRINGIZE(name)), { 24 | #define END_DLL_FUNCS() {}}} 25 | 26 | #define FUNC(name) { _CRT_STRINGIZE(name) } 27 | #define ORDN(n) { MAKEINTRESOURCEA(n) } 28 | -------------------------------------------------------------------------------- /X64/ListProtected.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/X64/ListProtected.exe -------------------------------------------------------------------------------- /X64/MemDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/X64/MemDump.exe -------------------------------------------------------------------------------- /X64/lgSessions.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/X64/lgSessions.exe -------------------------------------------------------------------------------- /X86/ListProtected.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/X86/ListProtected.exe -------------------------------------------------------------------------------- /X86/MemDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/X86/MemDump.exe -------------------------------------------------------------------------------- /X86/lgSessions.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/partial/6fe64e3f2c8c54b21cd75bdd7c855ecb29640cae/X86/lgSessions.exe --------------------------------------------------------------------------------