public SsLogger(int bufferedBlockCount, bool includeAll)
        {
            // Allocate a buffer.
            _buffer = new VirtualMemoryAlloc(_highBlockSize * bufferedBlockCount);

            // Create the read and write semaphores.

            // Read semaphore: no blocks initially, so 0 initial count.
            _readSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, 0, bufferedBlockCount);
            // Write semaphore: all buffer blocks available so max. initial count.
            _writeSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, bufferedBlockCount, bufferedBlockCount);

            // Create the client entry.
            //_clientEntryHandle = KProcessHacker.Instance.SsCreateClientEntry(
            //    ProcessHandle.Current,
            //    _readSemaphore,
            //    _writeSemaphore,
            //    _buffer,
            //    _buffer.Size
            //    );

            // Create the ruleset entry.
            //_ruleSetEntryHandle = KProcessHacker.Instance.SsCreateRuleSetEntry(
            //    _clientEntryHandle,
            //    includeAll ? KphSsFilterType.Include : KphSsFilterType.Exclude,
            //    KphSsRuleSetAction.Log
            //    );
        }
Beispiel #2
0
        public SsLogger(int bufferedBlockCount, bool includeAll)
        {
            // Allocate a buffer.
            _buffer = new VirtualMemoryAlloc(_highBlockSize * bufferedBlockCount);

            // Create the read and write semaphores.

            // Read semaphore: no blocks initially, so 0 initial count.
            _readSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, 0, bufferedBlockCount);
            // Write semaphore: all buffer blocks available so max. initial count.
            _writeSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, bufferedBlockCount, bufferedBlockCount);

            // Create the client entry.
            _clientEntryHandle = KProcessHacker.Instance.SsCreateClientEntry(
                ProcessHandle.Current,
                _readSemaphore,
                _writeSemaphore,
                _buffer,
                _buffer.Size
                );

            // Create the ruleset entry.
            _ruleSetEntryHandle = KProcessHacker.Instance.SsCreateRuleSetEntry(
                _clientEntryHandle,
                includeAll ? KphSsFilterType.Include : KphSsFilterType.Exclude,
                KphSsRuleSetAction.Log
                );
        }
        public SemaphoreProperties(SemaphoreHandle semaphoreHandle)
        {
            InitializeComponent();

            _semaphoreHandle = semaphoreHandle;
            _semaphoreHandle.Reference();

            this.UpdateInfo();
        }
        public SemaphoreProperties(SemaphoreHandle semaphoreHandle)
        {
            InitializeComponent();

            _semaphoreHandle = semaphoreHandle;
            _semaphoreHandle.Reference();

            this.UpdateInfo();
        }
Beispiel #5
0
        public KphSsClientEntryHandle SsCreateClientEntry(
            ProcessHandle processHandle,
            SemaphoreHandle readSemaphoreHandle,
            SemaphoreHandle writeSemaphoreHandle,
            IntPtr bufferBase,
            int bufferSize
            )
        {
            byte *inData  = stackalloc byte[0x14];
            byte *outData = stackalloc byte[4];

            *(int *)inData          = processHandle;
            *(int *)(inData + 0x4)  = readSemaphoreHandle;
            *(int *)(inData + 0x8)  = writeSemaphoreHandle;
            *(int *)(inData + 0xc)  = bufferBase.ToInt32();
            *(int *)(inData + 0x10) = bufferSize;

            _fileHandle.IoControl(CtlCode(Control.SsCreateClientEntry), inData, 0x14, outData, 4);

            return(new KphSsClientEntryHandle((*(int *)outData).ToIntPtr()));
        }
Beispiel #6
0
        public SsLogger(int bufferedBlockCount, bool includeAll)
        {
            _buffer = new VirtualMemoryAlloc(_highBlockSize * bufferedBlockCount);

            _readSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, 0, bufferedBlockCount);

            _writeSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, bufferedBlockCount, bufferedBlockCount);

            _clientEntryHandle = KProcessHacker.Instance.SsCreateClientEntry(
                ProcessHandle.Current,
                _readSemaphore,
                _writeSemaphore,
                _buffer,
                _buffer.Size
                );

            _ruleSetEntryHandle = KProcessHacker.Instance.SsCreateRuleSetEntry(
                _clientEntryHandle,
                includeAll ? KphSsFilterType.Include : KphSsFilterType.Exclude,
                KphSsRuleSetAction.Log
                );
        }
Beispiel #7
0
        public static void ShowHandleProperties(SystemHandleEntry handleInfo)
        {
            try
            {
                IntPtr        handle    = new IntPtr(handleInfo.Handle);
                ProcessHandle phandle   = new ProcessHandle(handleInfo.ProcessId, ProcessAccess.DupHandle);
                GenericHandle dupHandle = null;

                // Try to get a handle, since we need one for security editing.
                try
                {
                    dupHandle = new GenericHandle(phandle, handle, 0);
                }
                catch
                { }

                PropSheetHeader64 header = new PropSheetHeader64
                {
                    dwSize     = (uint)PropSheetHeader64.SizeOf,
                    nPages     = 2,
                    dwFlags    = (uint)PropSheetFlags.PSH_DEFAULT,
                    pszCaption = "Handle Properties"
                };

                using (HandleDetails hw = new HandleDetails())
                {
                    hw.ObjectHandle              = handleInfo;
                    hw.HandlePropertiesCallback += (control, name, typeName) =>
                    {
                        switch (typeName.ToLowerInvariant())
                        {
                        // Objects with separate property windows:
                        case "file":
                        case "job":
                        case "key":
                        case "token":
                        case "process":
                        {
                            Button b = new Button
                            {
                                FlatStyle = FlatStyle.System,
                                Text      = "Properties"
                            };

                            b.Click += (sender, e) =>
                            {
                                try
                                {
                                    switch (typeName.ToLowerInvariant())
                                    {
                                    case "file":
                                    {
                                        FileUtils.ShowProperties(name);
                                    }
                                    break;

                                    case "job":
                                    {
                                        dupHandle = new GenericHandle(phandle, handle, (int)JobObjectAccess.Query);

                                        (new JobWindow(JobObjectHandle.FromHandle(dupHandle))).ShowDialog();
                                    }
                                    break;

                                    case "key":
                                    {
                                        try
                                        {
                                            PhUtils.OpenKeyInRegedit(PhUtils.GetForegroundWindow(), name);
                                        }
                                        catch (Exception ex)
                                        {
                                            PhUtils.ShowException("Unable to open the Registry Editor", ex);
                                        }
                                    }
                                    break;

                                    case "token":
                                    {
                                        using (TokenWindow twindow = new TokenWindow(new RemoteTokenHandle(phandle, handle)))
                                        {
                                            twindow.ShowDialog();
                                        }
                                    }
                                    break;

                                    case "process":
                                    {
                                        dupHandle = new GenericHandle(phandle, handle, (int)OSVersion.MinProcessQueryInfoAccess);
                                        int pid = ProcessHandle.FromHandle(dupHandle).ProcessId;

                                        Program.GetProcessWindow(Program.ProcessProvider.Dictionary[pid], Program.FocusWindow);
                                    }
                                    break;
                                    }
                                }
                                catch (Exception ex)
                                {
                                    PhUtils.ShowException("Unable to show object properties", ex);
                                }
                            };

                            control.Controls.Add(b);
                        }
                        break;

                        case "event":
                        {
                            dupHandle = new GenericHandle(phandle, handle, (int)EventAccess.QueryState);
                            var eventProps = new EventProperties(EventHandle.FromHandle(dupHandle));
                            control.Controls.Add(eventProps);
                        }
                        break;

                        case "eventpair":
                        {
                            dupHandle = new GenericHandle(phandle, handle, (int)EventPairAccess.All);
                            var eventPairProps = new EventPairProperties(EventPairHandle.FromHandle(dupHandle));
                            control.Controls.Add(eventPairProps);
                        }
                        break;

                        case "mutant":
                        {
                            dupHandle = new GenericHandle(phandle, handle, (int)MutantAccess.QueryState);
                            var mutantProps = new MutantProperties(MutantHandle.FromHandle(dupHandle));
                            control.Controls.Add(mutantProps);
                        }
                        break;

                        case "section":
                        {
                            dupHandle = new GenericHandle(phandle, handle, (int)SectionAccess.Query);
                            var sectionProps = new SectionProperties(SectionHandle.FromHandle(dupHandle));
                            control.Controls.Add(sectionProps);
                        }
                        break;

                        case "semaphore":
                        {
                            dupHandle = new GenericHandle(phandle, handle, (int)SemaphoreAccess.QueryState);
                            var semaphoreProps = new SemaphoreProperties(SemaphoreHandle.FromHandle(dupHandle));
                            control.Controls.Add(semaphoreProps);
                        }
                        break;

                        case "timer":
                        {
                            dupHandle = new GenericHandle(phandle, handle, (int)TimerAccess.QueryState);
                            var timerProps = new TimerProperties(TimerHandle.FromHandle(dupHandle));
                            control.Controls.Add(timerProps);
                        }
                        break;

                        case "tmrm":
                        {
                            dupHandle = new GenericHandle(phandle, handle, (int)ResourceManagerAccess.QueryInformation);
                            var tmRmProps = new TmRmProperties(ResourceManagerHandle.FromHandle(dupHandle));
                            control.Controls.Add(tmRmProps);
                        }
                        break;

                        case "tmtm":
                        {
                            dupHandle = new GenericHandle(phandle, handle, (int)TmAccess.QueryInformation);
                            var tmTmProps = new TmTmProperties(TmHandle.FromHandle(dupHandle));
                            control.Controls.Add(tmTmProps);
                        }
                        break;
                        }
                    };

                    hw.Init();

                    IntPtr[] pages = new IntPtr[2];
                    pages[0] = hw.CreatePageHandle();
                    pages[1] = CreateSecurityPage(SecurityEditor.EditSecurity2(
                                                      null,
                                                      SecurityEditor.GetSecurableWrapper(dupHandle),
                                                      hw._name,
                                                      NativeTypeFactory.GetAccessEntries(NativeTypeFactory.GetObjectType(hw._typeName))
                                                      ));

                    GCHandle gch = GCHandle.Alloc(pages, GCHandleType.Pinned);
                    header.phpage = gch.AddrOfPinnedObject();

                    PropertySheetW(ref header);

                    if (dupHandle != null)
                    {
                        dupHandle.Dispose();
                    }
                }
            }
            catch (Exception ex)
            {
                PhUtils.ShowException("Unable to show handle properties", ex);
            }
        }
Beispiel #8
0
        public static void ShowHandleProperties(SystemHandleEntry handleInfo)
        {
            try
            {
                HandlePropertiesWindow window = new HandlePropertiesWindow(handleInfo);
                IntPtr        handle          = new IntPtr(handleInfo.Handle);
                ProcessHandle phandle         = new ProcessHandle(handleInfo.ProcessId, ProcessAccess.DupHandle);
                GenericHandle dupHandle       = null;

                window.HandlePropertiesCallback += (control, name, typeName) =>
                {
                    switch (typeName.ToLowerInvariant())
                    {
                    // Objects with separate property windows:
                    case "file":
                    case "job":
                    case "key":
                    case "token":
                    case "process":
                    {
                        Button b = new Button();

                        b.FlatStyle = FlatStyle.System;
                        b.Text      = "Properties";
                        b.Click    += (sender, e) =>
                        {
                            try
                            {
                                switch (typeName.ToLowerInvariant())
                                {
                                case "file":
                                {
                                    FileUtils.ShowProperties(name);
                                }
                                break;

                                case "job":
                                {
                                    dupHandle =
                                        new GenericHandle(
                                            phandle, handle,
                                            (int)JobObjectAccess.Query);
                                    (new JobWindow(JobObjectHandle.FromHandle(dupHandle))).ShowDialog();
                                }
                                break;

                                case "key":
                                {
                                    try
                                    {
                                        PhUtils.OpenKeyInRegedit(PhUtils.GetForegroundWindow(), name);
                                    }
                                    catch (Exception ex)
                                    {
                                        PhUtils.ShowException("Unable to open the Registry Editor", ex);
                                    }
                                }
                                break;

                                case "token":
                                {
                                    (new TokenWindow(new RemoteTokenHandle(phandle,
                                                                           handle))).ShowDialog();
                                }
                                break;

                                case "process":
                                {
                                    int pid;

                                    if (KProcessHacker.Instance != null)
                                    {
                                        pid = KProcessHacker.Instance.KphGetProcessId(phandle, handle);
                                    }
                                    else
                                    {
                                        dupHandle =
                                            new GenericHandle(
                                                phandle, handle,
                                                (int)OSVersion.MinProcessQueryInfoAccess);
                                        pid = ProcessHandle.FromHandle(dupHandle).GetProcessId();
                                    }

                                    Program.GetProcessWindow(Program.ProcessProvider.Dictionary[pid],
                                                             (f) => Program.FocusWindow(f));
                                }
                                break;
                                }
                            }
                            catch (Exception ex)
                            {
                                PhUtils.ShowException("Unable to show object properties", ex);
                            }
                        };

                        control.Controls.Add(b);
                    }
                    break;

                    case "event":
                    {
                        dupHandle = new GenericHandle(phandle, handle, (int)EventAccess.QueryState);
                        var eventProps = new EventProperties(EventHandle.FromHandle(dupHandle));
                        control.Controls.Add(eventProps);
                    }
                    break;

                    case "eventpair":
                    {
                        dupHandle = new GenericHandle(phandle, handle, (int)EventPairAccess.All);
                        var eventPairProps = new EventPairProperties(EventPairHandle.FromHandle(dupHandle));
                        control.Controls.Add(eventPairProps);
                    }
                    break;

                    case "mutant":
                    {
                        dupHandle = new GenericHandle(phandle, handle, (int)MutantAccess.QueryState);
                        var mutantProps = new MutantProperties(MutantHandle.FromHandle(dupHandle));
                        control.Controls.Add(mutantProps);
                    }
                    break;

                    case "section":
                    {
                        dupHandle = new GenericHandle(phandle, handle, (int)SectionAccess.Query);
                        var sectionProps = new SectionProperties(SectionHandle.FromHandle(dupHandle));
                        control.Controls.Add(sectionProps);
                    }
                    break;

                    case "semaphore":
                    {
                        dupHandle = new GenericHandle(phandle, handle, (int)SemaphoreAccess.QueryState);
                        var semaphoreProps = new SemaphoreProperties(SemaphoreHandle.FromHandle(dupHandle));
                        control.Controls.Add(semaphoreProps);
                    }
                    break;

                    case "timer":
                    {
                        dupHandle = new GenericHandle(phandle, handle, (int)TimerAccess.QueryState);
                        var timerProps = new TimerProperties(TimerHandle.FromHandle(dupHandle));
                        control.Controls.Add(timerProps);
                    }
                    break;

                    case "tmrm":
                    {
                        dupHandle = new GenericHandle(phandle, handle, (int)ResourceManagerAccess.QueryInformation);
                        var tmRmProps = new TmRmProperties(ResourceManagerHandle.FromHandle(dupHandle));
                        control.Controls.Add(tmRmProps);
                    }
                    break;

                    case "tmtm":
                    {
                        dupHandle = new GenericHandle(phandle, handle, (int)TmAccess.QueryInformation);
                        var tmTmProps = new TmTmProperties(TmHandle.FromHandle(dupHandle));
                        control.Controls.Add(tmTmProps);
                    }
                    break;
                    }
                };

                if (dupHandle == null)
                {
                    // Try to get a handle, since we need one for security editing.
                    try { dupHandle = new GenericHandle(phandle, handle, 0); }
                    catch { }
                }

                window.ObjectHandle = dupHandle;

                window.ShowDialog();

                if (dupHandle != null)
                {
                    dupHandle.Dispose();
                }
            }
            catch (Exception ex)
            {
                PhUtils.ShowException("Unable to show handle properties", ex);
            }
        }
        public KphSsClientEntryHandle SsCreateClientEntry(
            ProcessHandle processHandle,
            SemaphoreHandle readSemaphoreHandle,
            SemaphoreHandle writeSemaphoreHandle,
            IntPtr bufferBase,
            int bufferSize
            )
        {
            byte* inData = stackalloc byte[0x14];
            byte* outData = stackalloc byte[4];

            *(int*)inData = processHandle;
            *(int*)(inData + 0x4) = readSemaphoreHandle;
            *(int*)(inData + 0x8) = writeSemaphoreHandle;
            *(int*)(inData + 0xc) = bufferBase.ToInt32();
            *(int*)(inData + 0x10) = bufferSize;

            _fileHandle.IoControl(CtlCode(Control.SsCreateClientEntry), inData, 0x14, outData, 4);

            return new KphSsClientEntryHandle((*(int*)outData).ToIntPtr());
        }