Beispiel #1
0
        public static ISymbolResolver GetProxyParserSymbolResolver()
        {
            if (!Properties.Settings.Default.ProxyParserResolveSymbols)
            {
                return(null);
            }

            string dbghelp = Environment.Is64BitProcess ? Properties.Settings.Default.DbgHelpPath64 : Properties.Settings.Default.DbgHelpPath32;

            if (string.IsNullOrWhiteSpace(dbghelp))
            {
                return(null);
            }

            return(SymbolResolver.Create(NtProcess.Current, dbghelp, Properties.Settings.Default.SymbolPath));
        }
        public static COMProcessEntry ParseProcess(int pid, string dbghelp_path, string symbol_path)
        {
            using (var result = NtProcess.Open(pid, ProcessAccessRights.VmRead | ProcessAccessRights.QueryInformation, false))
            {
                if (!result.IsSuccess)
                {
                    return(null);
                }

                NtProcess process = result.Result;

                if (process.Is64Bit && !Environment.Is64BitProcess)
                {
                    return(null);
                }

                using (ISymbolResolver resolver = SymbolResolver.Create(process, dbghelp_path, symbol_path))
                {
                    Sid user = process.User;
                    return(new COMProcessEntry(
                               pid,
                               GetProcessFileName(process),
                               ParseIPIDEntries(process, resolver),
                               process.Is64Bit,
                               GetProcessAppId(process, resolver),
                               GetProcessAccessSecurityDescriptor(process, resolver),
                               GetLrpcSecurityDescriptor(process, resolver),
                               user.Name,
                               user.ToString(),
                               ReadString(process, resolver, "gwszLRPCEndPoint"),
                               ReadEnum <EOLE_AUTHENTICATION_CAPABILITIES>(process, resolver, "gCapabilities"),
                               ReadEnum <RPC_AUTHN_LEVEL>(process, resolver, "gAuthnLevel"),
                               ReadEnum <RPC_IMP_LEVEL>(process, resolver, "gImpLevel"),
                               ReadPointer(process, resolver, "gAccessControl"),
                               ReadPointer(process, resolver, "ghwndOleMainThread")));
                }
            }
        }