private PebData ReadPebData()
{
if (_process.GetArchitecture() == Architecture.X86)
{
Span <byte> pebAddressBuffer = stackalloc byte[IntPtr.Size];
// Query the process for the address of its WOW64 PEB
var ntStatus = Ntdll.NtQueryInformationProcess(_process.SafeHandle, ProcessInformationClass.Wow64Information, out pebAddressBuffer[0], pebAddressBuffer.Length, out _);
if (ntStatus != NtStatus.Success)
{
throw new Win32Exception(Ntdll.RtlNtStatusToDosError(ntStatus));
}
var pebAddress = MemoryMarshal.Read <IntPtr>(pebAddressBuffer);
// Read the WOW64 PEB
var peb = _process.ReadStructure <Peb32>(pebAddress);
return(new PebData(SafeHelpers.CreateSafeIntPtr(peb.ApiSetMap), SafeHelpers.CreateSafeIntPtr(peb.Ldr)));
}
else
{
Span <byte> basicInformationBuffer = stackalloc byte[Unsafe.SizeOf <ProcessBasicInformation64>()];
// Query the process for its basic information
var ntStatus = Ntdll.NtQueryInformationProcess(_process.SafeHandle, ProcessInformationClass.BasicInformation, out basicInformationBuffer[0], basicInformationBuffer.Length, out _);
if (ntStatus != NtStatus.Success)
{
throw new Win32Exception(Ntdll.RtlNtStatusToDosError(ntStatus));
}
var basicInformation = MemoryMarshal.Read <ProcessBasicInformation64>(basicInformationBuffer);
// Read the PEB
var peb = _process.ReadStructure <Peb64>(SafeHelpers.CreateSafeIntPtr(basicInformation.PebBaseAddress));
return(new PebData(SafeHelpers.CreateSafeIntPtr(peb.ApiSetMap), SafeHelpers.CreateSafeIntPtr(peb.Ldr)));
}
}
private static IntPtr GetLoaderAddress(Process process)
{
if (process.GetArchitecture() == Architecture.X86)
{
IntPtr pebAddress;
if (Environment.Is64BitOperatingSystem)
{
// Query the process for the address of its WOW64 PEB
pebAddress = process.QueryInformation <IntPtr>(ProcessInformationType.Wow64Information);
}
else
{
// Query the process for its basic information
var basicInformation = process.QueryInformation <ProcessBasicInformation32>(ProcessInformationType.BasicInformation);
pebAddress = SafeHelpers.CreateSafePointer(basicInformation.PebBaseAddress);
}
// Read the PEB
var peb = process.ReadStructure <Peb32>(pebAddress);
return(SafeHelpers.CreateSafePointer(peb.Ldr));
}
else
{
// Query the process for its basic information
var basicInformation = process.QueryInformation <ProcessBasicInformation64>(ProcessInformationType.BasicInformation);
var pebAddress = SafeHelpers.CreateSafePointer(basicInformation.PebBaseAddress);
// Read the PEB
var peb = process.ReadStructure <Peb64>(pebAddress);
return(SafeHelpers.CreateSafePointer(peb.Ldr));
}
}
public void OnRecognize(string ruleName, string text, Action <string> speaker)
{
if (ruleName == RuleNames.First())
{
var app = text.Replace(openPrefix, string.Empty).Trim();
string path;
if (!lnkDict.TryGetValue(app, out path))
{
return;
}
Process.Start(path);
speaker(string.Format("Started {0}.", app));
return;
}
if (ruleName == RuleNames.Last())
{
var app = text.Replace(closePrefix, string.Empty).Trim();
string path;
if (!lnkDict.TryGetValue(app, out path))
{
return;
}
var proc = Process.GetProcesses().OrderByDescending(p => SafeHelpers.GetStartTimeSafe(p)).FirstOrDefault(
p => {
var mod = SafeHelpers.GetModulesSafe(p).FirstOrDefault();
return(mod == null ? false
: mod.FileName == path ? true
: Path.GetFileName(mod.FileName) == Path.GetFileName(path));
});
if (proc == null)
{
speaker(string.Format("Couldn't find {0}!", app));
return;
}
SafeHelpers.TrySafe(() => proc.CloseMainWindow());
SafeHelpers.TrySafe(() => proc.Close());
SafeHelpers.TrySafe(() => proc.Kill());
speaker(string.Format("Closed {0}.", app));
return;
}
}
private static DateTime GetLogonTime()
{
return(Process.GetProcesses().Select(p => SafeHelpers.GetStartTimeSafe(p)).Min().GetValueOrDefault());
}
internal IEnumerable <Module> ReadModules()
{
if (_process.GetArchitecture() == Architecture.X86)
{
// Read the loader data of the PEB
var loaderData = _process.ReadStructure <PebLdrData32>(_pebData.LoaderAddress);
// Traverse the InMemoryOrder module list
var currentEntryAddress = SafeHelpers.CreateSafeIntPtr(loaderData.InMemoryOrderModuleList.Flink);
var inMemoryOrderLinksOffset = Marshal.OffsetOf <LdrDataTableEntry32>("InMemoryOrderLinks");
while (true)
{
// Read the entry
var entryAddress = currentEntryAddress - (int)inMemoryOrderLinksOffset;
var entry = _process.ReadStructure <LdrDataTableEntry32>(entryAddress);
// Read the file path of the entry
var entryFilePathAddress = SafeHelpers.CreateSafeIntPtr(entry.FullDllName.Buffer);
var entryFilePathBuffer = _process.ReadBuffer <byte>(entryFilePathAddress, entry.FullDllName.Length);
var entryFilePath = Encoding.Unicode.GetString(entryFilePathBuffer);
if (Environment.Is64BitOperatingSystem)
{
// Redirect the file path to the WOW64 system directory
entryFilePath = entryFilePath.Replace("System32", "SysWOW64", StringComparison.OrdinalIgnoreCase);
}
// Read the name of the entry
var entryNameAddress = SafeHelpers.CreateSafeIntPtr(entry.BaseDllName.Buffer);
var entryNameBuffer = _process.ReadBuffer <byte>(entryNameAddress, entry.BaseDllName.Length);
var entryName = Encoding.Unicode.GetString(entryNameBuffer);
yield return(new Module(SafeHelpers.CreateSafeIntPtr(entry.DllBase), entryFilePath, entryName));
if ((int)currentEntryAddress == loaderData.InMemoryOrderModuleList.Blink)
{
break;
}
// Set the address of the next entry
currentEntryAddress = SafeHelpers.CreateSafeIntPtr(entry.InMemoryOrderLinks.Flink);
}
}
else
{
// Read the loader data of the PEB
var loaderData = _process.ReadStructure <PebLdrData64>(_pebData.LoaderAddress);
// Traverse the InMemoryOrder module list
var currentEntryAddress = SafeHelpers.CreateSafeIntPtr(loaderData.InMemoryOrderModuleList.Flink);
var inMemoryOrderLinksOffset = Marshal.OffsetOf <LdrDataTableEntry64>("InMemoryOrderLinks");
while (true)
{
// Read the entry
var entryAddress = currentEntryAddress - (int)inMemoryOrderLinksOffset;
var entry = _process.ReadStructure <LdrDataTableEntry64>(entryAddress);
// Read the file path of the entry
var entryFilePathAddress = SafeHelpers.CreateSafeIntPtr(entry.FullDllName.Buffer);
var entryFilePathBuffer = _process.ReadBuffer <byte>(entryFilePathAddress, entry.FullDllName.Length);
var entryFilePath = Encoding.Unicode.GetString(entryFilePathBuffer);
// Read the name of the entry
var entryNameAddress = SafeHelpers.CreateSafeIntPtr(entry.BaseDllName.Buffer);
var entryNameBuffer = _process.ReadBuffer <byte>(entryNameAddress, entry.BaseDllName.Length);
var entryName = Encoding.Unicode.GetString(entryNameBuffer);
yield return(new Module(SafeHelpers.CreateSafeIntPtr(entry.DllBase), entryFilePath, entryName));
if ((long)currentEntryAddress == loaderData.InMemoryOrderModuleList.Blink)
{
break;
}
// Set the address of the next entry
currentEntryAddress = SafeHelpers.CreateSafeIntPtr(entry.InMemoryOrderLinks.Flink);
}
}
}
internal Module?GetModule(string moduleName)
{
if (_process.GetArchitecture() == Architecture.X86)
{
// Read the loader data
var loaderData = _process.ReadStructure <PebLdrData32>(_address);
var currentEntryAddress = SafeHelpers.CreateSafePointer(loaderData.InLoadOrderModuleList.Flink);
while (true)
{
// Read the entry
var entry = _process.ReadStructure <LdrDataTableEntry32>(currentEntryAddress);
// Read the name of the entry
var entryNameAddress = SafeHelpers.CreateSafePointer(entry.BaseDllName.Buffer);
var entryName = _process.ReadString(entryNameAddress, entry.BaseDllName.Length);
if (moduleName.Equals(entryName, StringComparison.OrdinalIgnoreCase))
{
// Read the file path of the entry
var entryFilePathAddress = SafeHelpers.CreateSafePointer(entry.FullDllName.Buffer);
var entryFilePath = _process.ReadString(entryFilePathAddress, entry.FullDllName.Length);
if (Environment.Is64BitOperatingSystem)
{
// Redirect the file path to the WOW64 directory
entryFilePath = entryFilePath.Replace("System32", "SysWOW64", StringComparison.OrdinalIgnoreCase);
}
return(new Module(SafeHelpers.CreateSafePointer(entry.DllBase), entryName, new PeImage(File.ReadAllBytes(entryFilePath))));
}
if (currentEntryAddress.ToInt32() == loaderData.InLoadOrderModuleList.Blink)
{
break;
}
currentEntryAddress = SafeHelpers.CreateSafePointer(entry.InLoadOrderLinks.Flink);
}
}
else
{
// Read the loader data
var loaderData = _process.ReadStructure <PebLdrData64>(_address);
var currentEntryAddress = SafeHelpers.CreateSafePointer(loaderData.InLoadOrderModuleList.Flink);
while (true)
{
// Read the entry
var entry = _process.ReadStructure <LdrDataTableEntry64>(currentEntryAddress);
// Read the name of the entry
var entryNameAddress = SafeHelpers.CreateSafePointer(entry.BaseDllName.Buffer);
var entryName = _process.ReadString(entryNameAddress, entry.BaseDllName.Length);
if (moduleName.Equals(entryName, StringComparison.OrdinalIgnoreCase))
{
// Read the file path of the entry
var entryFilePathAddress = SafeHelpers.CreateSafePointer(entry.FullDllName.Buffer);
var entryFilePath = _process.ReadString(entryFilePathAddress, entry.FullDllName.Length);
return(new Module(SafeHelpers.CreateSafePointer(entry.DllBase), entryName, new PeImage(File.ReadAllBytes(entryFilePath))));
}
if (currentEntryAddress.ToInt64() == loaderData.InLoadOrderModuleList.Blink)
{
break;
}
currentEntryAddress = SafeHelpers.CreateSafePointer(entry.InLoadOrderLinks.Flink);
}
}
return(null);
}
