private void RefreshProcessList(string filter, bool hideUnrestricted)
{
List <ProcessEntry> processes = ProcessEntry.GetProcesses();
processes.Sort((a, b) => a.Pid - b.Pid);
IEnumerable <ProcessEntry> filtered = processes.Where(p => p.Token != null);
if (!String.IsNullOrWhiteSpace(filter))
{
filter = filter.ToLower();
filtered = filtered.Where(p => p.Name.ToLower().Contains(filter));
}
if (hideUnrestricted)
{
filtered = filtered.Where(p => p.Token.IsRestricted() || p.Token.IsAppContainer() || p.Token.GetTokenIntegrityLevel() < TokenIntegrityLevel.Medium);
}
treeViewProcesses.Nodes.Clear();
listViewThreads.Items.Clear();
foreach (ProcessEntry entry in filtered)
{
AddProcessNode(entry);
AddThreads(entry);
}
listViewThreads.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
listViewThreads.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
}
public static void KillProcess(string processName)
{
ProcessEntry[] processes = ProcessEntry.GetProcesses();
foreach (var process in processes)
{
if (process.ExeFile.ToLower().CompareTo(processName.ToLower()) == 0)
{
process.Kill();
return;
}
}
}
public static bool ProcessExists(string processName)
{
ProcessEntry[] processes = ProcessEntry.GetProcesses();
foreach (var process in processes)
{
if (process.ExeFile.ToLower().CompareTo(processName.ToLower()) == 0)
{
return(true);
}
}
return(false);
}
static void Main(string[] args)
{
bool show_help = false;
HashSet <string> mitigation_filter = new HashSet <string>(StringComparer.OrdinalIgnoreCase);
HashSet <string> process_filter = new HashSet <string>(StringComparer.CurrentCultureIgnoreCase);
HashSet <int> pid_filter = new HashSet <int>();
HashSet <string> cmdline_filter = new HashSet <string>();
bool all_mitigations = false;
OptionSet p = new OptionSet()
{
{ "t|type=", "A filter for processes with a specific mitigation to display", v => mitigation_filter.Add(v.Trim()) },
{ "f|filter=", "A filter for the name of a process to display", v => process_filter.Add(v.Trim()) },
{ "p|pid=", "A filter for a specific PID to display", v => pid_filter.Add(int.Parse(v)) },
{ "c|cmd=", "A filter for the command line of a process to display", v => cmdline_filter.Add(v.Trim().ToLower()) },
{ "a|all", "When filtering on mitigation show all process mitigations", v => all_mitigations = v != null },
{ "h|help", "show this message and exit",
v => show_help = v != null },
};
foreach (PropertyInfo prop in typeof(ProcessMitigations).GetProperties())
{
_props.Add(prop.Name.ToLower(), prop);
}
try
{
p.Parse(args);
if (show_help)
{
ShowHelp(p);
}
else
{
IEnumerable <ProcessEntry> procs = ProcessEntry.GetProcesses();
if (cmdline_filter.Count > 0)
{
Dictionary <uint, string> cmdlines = GetCommandLines();
foreach (KeyValuePair <uint, string> pair in cmdlines)
{
if ((int)pair.Key != Process.GetCurrentProcess().Id)
{
foreach (string filter in cmdline_filter)
{
if (pair.Value.ToLower().Contains(filter))
{
pid_filter.Add((int)pair.Key);
break;
}
}
}
}
}
if (pid_filter.Count > 0)
{
procs = procs.Where(e => pid_filter.Contains(e.Pid));
}
if (process_filter.Count > 0)
{
procs = procs.Where(e => process_filter.Contains(e.Name));
}
if (mitigation_filter.Count > 0)
{
procs = procs.Where(e => HasPropertySet(e.Mitigations, mitigation_filter));
}
else
{
all_mitigations = true;
}
foreach (ProcessEntry entry in procs)
{
DumpProcessEntry(entry, mitigation_filter, all_mitigations);
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
static void Main(string[] args)
{
try
{
bool show_help = false;
HashSet <string> typeFilter = new HashSet <string>();
HashSet <int> pidFilter = new HashSet <int>();
HashSet <string> nameFilter = new HashSet <string>();
bool noquery = false;
GroupingMode mode = GroupingMode.Pid;
ShareMode shareMode = ShareMode.None;
bool showsd = false;
OptionSet opts = new OptionSet()
{
{ "t|type=", "An object type to filter on, can be repeated", v => typeFilter.Add(v.Trim().ToLower()) },
{ "p|pid=", "A PID to filter on, can be repeated", v => pidFilter.Add(int.Parse(v.Trim())) },
{ "n|name=", "Specify a process by name", v => nameFilter.Add(v.ToLower()) },
{ "q|noquery", "Don't query for names/typenames", v => noquery = v != null },
{ "g|group=", "Specify a grouping, defaults to pid, can be object,name,type", v => mode = (GroupingMode)Enum.Parse(typeof(GroupingMode), v, true) },
{ "s|share=", "When grouping, filter on shared, can be none,partial or all", v => shareMode = (ShareMode)Enum.Parse(typeof(ShareMode), v, true) },
{ "sd", "Display the security descriptor associated with the kernel object", v => showsd = v != null },
{ "h|help", "show this message and exit",
v => show_help = v != null },
};
opts.Parse(args);
if (show_help)
{
ShowHelp(opts);
}
else
{
List <ProcessEntry> pss = ProcessEntry.GetProcesses();
IEnumerable <ProcessEntry> filtered = pss;
if (pidFilter.Count > 0)
{
filtered = filtered.Where(ps => pidFilter.Contains(ps.Pid));
}
if (nameFilter.Count > 0)
{
filtered = filtered.Where(ps => nameFilter.Contains(ps.Name, StringComparer.OrdinalIgnoreCase));
}
HashSet <int> pids = new HashSet <int>(filtered.Select(process => process.Pid));
Dictionary <int, string> pidToName = filtered.ToDictionary(pk => pk.Pid, pv => pv.Name);
List <HandleEntry> totalHandles = new List <HandleEntry>();
foreach (int pid in pids)
{
if (pid == Process.GetCurrentProcess().Id)
{
continue;
}
IEnumerable <HandleEntry> handles = NativeBridge.GetHandlesForPid(pid, noquery).Where(ent => (typeFilter.Count == 0) || typeFilter.Contains(ent.TypeName.ToLower()));
totalHandles.AddRange(handles);
if (mode == GroupingMode.Pid)
{
Console.WriteLine("Process ID: {0} - Name: {1}", pid, pidToName[pid]);
foreach (HandleEntry ent in handles)
{
Console.WriteLine("{0:X04}: {1:X016} {2:X08} {3,20} {4}", ent.Handle.ToInt32(), ent.Object.ToInt64(), ent.GrantedAccess, ent.TypeName, ent.ObjectName);
if (showsd && !String.IsNullOrWhiteSpace(ent.StringSecurityDescriptor))
{
Console.WriteLine("SDDL: {0}", ent.StringSecurityDescriptor);
}
}
Console.WriteLine();
}
}
switch (mode)
{
case GroupingMode.Type:
PrintGrouping(totalHandles.GroupBy(f => f.TypeName), pidToName, k => String.Format("Type: {0}", k),
e => String.Format("{0:X08} {1:X08} {2}", e.Object.ToInt64(), e.GrantedAccess, e.ObjectName),
shareMode, pids.Count, showsd);
break;
case GroupingMode.Object:
PrintGrouping(totalHandles.GroupBy(f => f.Object), pidToName, k => String.Format("Object: {0:X08}", k.ToInt64()),
e => String.Format("{0,20} {1:X08} {2}", e.TypeName, e.GrantedAccess, e.ObjectName),
shareMode, pids.Count, showsd);
break;
case GroupingMode.Name:
PrintGrouping(totalHandles.GroupBy(f => f.ObjectName), pidToName, k => String.Format("Name: {0:X08}", k),
e => String.Format("{0:X08} {1,20} {2:X08} {2}", e.Object.ToInt64(), e.TypeName, e.GrantedAccess),
shareMode, pids.Count, showsd);
break;
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}