public static ISymbolResolver GetProxyParserSymbolResolver()
{
if (!Properties.Settings.Default.ProxyParserResolveSymbols)
{
return(null);
}
string dbghelp = Environment.Is64BitProcess ? Properties.Settings.Default.DbgHelpPath64 : Properties.Settings.Default.DbgHelpPath32;
if (string.IsNullOrWhiteSpace(dbghelp))
{
return(null);
}
return(SymbolResolver.Create(NtProcess.Current, dbghelp, Properties.Settings.Default.SymbolPath));
}
internal static IntPtr AddressFromSymbol(SymbolResolver resolver, bool is64bit, string symbol)
{
Dictionary <string, IntPtr> resolved = is64bit ? _resolved_64bit : _resolved_32bit;
if (resolved.ContainsKey(symbol))
{
return(resolved[symbol]);
}
IntPtr ret = resolver.GetAddressOfSymbol(symbol);
if (ret != IntPtr.Zero)
{
resolved[symbol] = ret;
}
return(ret);
}
static List <COMIPIDEntry> ParseIPIDEntries(SafeProcessHandle process, SymbolResolver resolver)
{
IntPtr ipid_table = AddressFromSymbol(resolver, process.Is64Bit, GetSymbolName("CIPIDTable::_palloc"));
if (ipid_table == IntPtr.Zero)
{
return(new List <COMIPIDEntry>());
}
if (process.Is64Bit)
{
return(ParseIPIDEntries <IPIDEntryNative>(process, ipid_table, resolver));
}
else
{
return(ParseIPIDEntries <IPIDEntryNative32>(process, ipid_table, resolver));
}
}
public static COMProcessEntry ParseProcess(int pid, string dbghelp_path, string symbol_path)
{
using (var result = NtProcess.Open(pid, ProcessAccessRights.VmRead | ProcessAccessRights.QueryInformation, false))
{
if (!result.IsSuccess)
{
return(null);
}
NtProcess process = result.Result;
if (process.Is64Bit && !Environment.Is64BitProcess)
{
return(null);
}
using (ISymbolResolver resolver = SymbolResolver.Create(process, dbghelp_path, symbol_path))
{
Sid user = process.User;
return(new COMProcessEntry(
pid,
GetProcessFileName(process),
ParseIPIDEntries(process, resolver),
process.Is64Bit,
GetProcessAppId(process, resolver),
GetProcessAccessSecurityDescriptor(process, resolver),
GetLrpcSecurityDescriptor(process, resolver),
user.Name,
user.ToString(),
ReadString(process, resolver, "gwszLRPCEndPoint"),
ReadEnum <EOLE_AUTHENTICATION_CAPABILITIES>(process, resolver, "gCapabilities"),
ReadEnum <RPC_AUTHN_LEVEL>(process, resolver, "gAuthnLevel"),
ReadEnum <RPC_IMP_LEVEL>(process, resolver, "gImpLevel"),
ReadPointer(process, resolver, "gAccessControl"),
ReadPointer(process, resolver, "ghwndOleMainThread")));
}
}
}
private static string GetProcessAccessSecurityDescriptor(SafeProcessHandle process, SymbolResolver resolver)
{
return(ReadSecurityDescriptor(process, resolver, "gSecDesc"));
}
internal static string SymbolFromAddress(SymbolResolver resolver, bool is64bit, IntPtr address)
{
return(String.Format("0x{0:X}", address.ToInt64()));
}
static List <COMIPIDEntry> ParseIPIDEntries <T>(SafeProcessHandle process, IntPtr ipid_table, SymbolResolver resolver)
where T : struct, IPIDEntryNativeInterface
{
List <COMIPIDEntry> entries = new List <COMIPIDEntry>();
PageAllocator palloc = new PageAllocator(process, ipid_table);
if (palloc.Pages.Length == 0 || palloc.EntrySize < Marshal.SizeOf(typeof(T)))
{
return(entries);
}
foreach (IntPtr page in palloc.Pages)
{
using (var buf = process.ReadBuffer(page, palloc.EntriesPerPage * palloc.EntrySize))
{
if (buf == null)
{
continue;
}
for (int entry_index = 0; entry_index < palloc.EntriesPerPage; ++entry_index)
{
IPIDEntryNativeInterface ipid_entry = buf.Read <T>((ulong)(entry_index * palloc.EntrySize));
if ((ipid_entry.Flags != 0xF1EEF1EE) && (ipid_entry.Flags != 0))
{
entries.Add(new COMIPIDEntry(ipid_entry, process, resolver));
}
}
}
}
return(entries);
}
internal COMIPIDEntry(COMProcessParser.IPIDEntryNativeInterface ipid, SafeProcessHandle process, SymbolResolver resolver)
{
Ipid = ipid.Ipid;
Iid = ipid.Iid;
Flags = (IPIDFlags)ipid.Flags;
Interface = ipid.Interface;
Stub = ipid.Stub;
var oxid = ipid.GetOxidEntry(process);
Oxid = oxid.MOxid;
ServerSTAHwnd = oxid.ServerSTAHwnd;
StrongRefs = ipid.StrongRefs;
WeakRefs = ipid.WeakRefs;
PrivateRefs = ipid.PrivateRefs;
if (Interface != IntPtr.Zero)
{
InterfaceVTable = resolver.GetModuleRelativeAddress(COMProcessParser.ReadPointer(process, Interface));
}
if (Stub != IntPtr.Zero)
{
StubVTable = resolver.GetModuleRelativeAddress(COMProcessParser.ReadPointer(process, Stub));
}
}
public static IntPtr ReadPointer(SafeProcessHandle process, SymbolResolver resolver, string symbol)
{
return(ReadPointer(process, AddressFromSymbol(resolver, process.Is64Bit, GetSymbolName(symbol))));
}
public static T ReadEnum <T>(SafeProcessHandle process, SymbolResolver resolver, string symbol)
{
int value = ReadInt(process, resolver, symbol);
return((T)Enum.ToObject(typeof(T), value));
}
