private void LoadHandles(MemoryObject mo)
{
var dict = Dump.GetDictionary(mo);
HandleItem item = new HandleItem();
if (!dict.ContainsKey("Handle"))
{
return;
}
item.Handle.ProcessId = _item.Pid;
item.Handle.Flags = (HandleFlags)Dump.ParseInt32(dict["Flags"]);
item.Handle.Handle = (short)Dump.ParseInt32(dict["Handle"]);
// Not really needed, just fill it in ignoring 32-bit vs 64-bit
// differences.
item.Handle.Object = (Dump.ParseInt64(dict["Object"]) & 0xffffffff).ToIntPtr();
item.Handle.GrantedAccess = Dump.ParseInt32(dict["GrantedAccess"]);
if (dict.ContainsKey("TypeName"))
{
item.ObjectInfo.TypeName = dict["TypeName"];
item.ObjectInfo.BestName = dict["ObjectName"];
}
if (Settings.Instance.HideHandlesWithNoName)
{
if (string.IsNullOrEmpty(item.ObjectInfo.BestName))
{
return;
}
}
listHandles.AddItem(item);
}
private void LoadSystemInformation()
{
MemoryObject sysInfoMo;
sysInfoMo = _mfs.RootObject.GetChild("SystemInformation");
if (sysInfoMo == null)
{
PhUtils.ShowWarning("The dump file does not contain system information. This most likely " +
"means the file is corrupt.");
return;
}
var dict = Dump.GetDictionary(sysInfoMo);
sysInfoMo.Dispose();
_phVersion = dict["ProcessHackerVersion"];
_osVersion = dict["OSVersion"];
_architecture = (OSArch)Dump.ParseInt32(dict["Architecture"]);
_userName = dict["UserName"];
treeProcesses.DumpUserName = _userName;
this.Text = "Process Hacker " + _phVersion +
" [" + _userName + "] (" + _osVersion + ", " +
(_architecture == OSArch.I386 ? "32-bit" : "64-bit") +
")";
}
private void LoadService(MemoryObject mo)
{
ServiceItem item = new ServiceItem();
var dict = Dump.GetDictionary(mo);
item.Status.ServiceName = dict["Name"];
item.Status.DisplayName = dict["DisplayName"];
item.Status.ServiceStatusProcess.ControlsAccepted = (ServiceAccept)Dump.ParseInt32(dict["ControlsAccepted"]);
item.Status.ServiceStatusProcess.CurrentState = (ServiceState)Dump.ParseInt32(dict["State"]);
item.Status.ServiceStatusProcess.ProcessID = Dump.ParseInt32(dict["ProcessId"]);
item.Status.ServiceStatusProcess.ServiceFlags = (ServiceFlags)Dump.ParseInt32(dict["Flags"]);
item.Status.ServiceStatusProcess.ServiceType = (ServiceType)Dump.ParseInt32(dict["Type"]);
if (dict.ContainsKey("BinaryPath"))
{
item.Config.BinaryPathName = dict["BinaryPath"];
item.Config.DisplayName = item.Status.DisplayName;
item.Config.ErrorControl = (ServiceErrorControl)Dump.ParseInt32(dict["ErrorControl"]);
item.Config.LoadOrderGroup = dict["Group"];
item.Config.ServiceStartName = dict["UserName"];
item.Config.ServiceType = item.Status.ServiceStatusProcess.ServiceType;
item.Config.StartType = (ServiceStartType)Dump.ParseInt32(dict["StartType"]);
if (dict.ContainsKey("ServiceDll"))
{
item.ServiceDll = dict["ServiceDll"];
}
}
_services.Add(item.Status.ServiceName, item);
listServices.AddItem(item);
if (item.Status.ServiceStatusProcess.ProcessID != 0)
{
if (!_processServices.ContainsKey(item.Status.ServiceStatusProcess.ProcessID))
{
_processServices.Add(item.Status.ServiceStatusProcess.ProcessID, new List <string>());
}
_processServices[item.Status.ServiceStatusProcess.ProcessID].Add(item.Status.ServiceName);
}
}
private void LoadModule(MemoryObject mo)
{
var dict = Dump.GetDictionary(mo);
ModuleItem item = new ModuleItem();
item.BaseAddress = Dump.ParseUInt64(dict["BaseAddress"]);
item.Size = Dump.ParseInt32(dict["Size"]);
item.Flags = (LdrpDataTableEntryFlags)Dump.ParseInt32(dict["Flags"]);
item.Name = dict["Name"];
item.FileName = dict["FileName"];
if (dict.ContainsKey("FileDescription"))
{
item.FileDescription = dict["FileDescription"];
item.FileCompanyName = dict["FileCompanyName"];
item.FileVersion = dict["FileVersion"];
}
listModules.AddItem(item);
}
public DumpServiceWindow(ServiceItem item, MemoryObject serviceMo)
{
InitializeComponent();
this.AddEscapeToClose();
_serviceMo = serviceMo;
this.Text = "Service - " + item.Status.ServiceName;
labelServiceName.Text = item.Status.ServiceName;
labelServiceDisplayName.Text = item.Status.DisplayName;
textServiceType.Text = item.Config.ServiceType.ToString();
if (item.Config.ServiceType == (ServiceType.Win32OwnProcess | ServiceType.InteractiveProcess))
{
textServiceType.Text = "Win32OwnProcess, InteractiveProcess";
}
else if (item.Config.ServiceType == (ServiceType.Win32ShareProcess | ServiceType.InteractiveProcess))
{
textServiceType.Text = "Win32ShareProcess, InteractiveProcess";
}
textStartType.Text = item.Config.StartType.ToString();
textErrorControl.Text = item.Config.ErrorControl.ToString();
textLoadOrderGroup.Text = item.Config.LoadOrderGroup;
textServiceBinaryPath.Text = item.Config.BinaryPathName;
textUserAccount.Text = item.Config.ServiceStartName;
textServiceDll.Text = item.ServiceDll;
try
{
var dict = Dump.GetDictionary(_serviceMo);
if (dict.ContainsKey("Description"))
{
textDescription.Text = dict["Description"];
}
}
catch
{ }
}
private void LoadEnvironment()
{
MemoryObject env = _processMo.GetChild("Environment");
if (env == null)
{
return;
}
IDictionary <string, string> dict = Dump.GetDictionary(env);
foreach (var kvp in dict)
{
if (!string.IsNullOrEmpty(kvp.Key))
{
listEnvironment.Items.Add(new ListViewItem(new[] { kvp.Key, kvp.Value }));
}
}
env.Dispose();
}
private void LoadToken()
{
var token = _processMo.GetChild("Token");
if (token == null)
{
return;
}
var dict = Dump.GetDictionary(token);
if (!dict.ContainsKey("UserName"))
{
return;
}
string elevated =
dict.ContainsKey("Elevated") ?
Dump.ParseBool(dict["Elevated"]).ToString() :
"N/A";
string virtualization =
dict.ContainsKey("VirtualizationAllowed") ?
(Dump.ParseBool(dict["VirtualizationAllowed"]) ?
(Dump.ParseBool(dict["VirtualizationEnabled"]) ? "Enabled" : "Disabled") :
"Not Allowed") : "N/A";
_tokenProps.DumpSetTextToken(
dict["UserName"],
dict["UserStringSid"],
dict["OwnerName"],
dict["PrimaryGroupName"],
Dump.ParseInt32(dict["SessionId"]).ToString(),
elevated,
virtualization
);
if (dict.ContainsKey("SourceName"))
{
_tokenProps.DumpSetTextSource(
dict["SourceName"],
"0x" + Dump.ParseInt64(dict["SourceLuid"]).ToString("x")
);
}
_tokenProps.DumpSetTextAdvanced(
((TokenType)Dump.ParseInt32(dict["Type"])).ToString(),
((SecurityImpersonationLevel)Dump.ParseInt32(dict["ImpersonationLevel"])).ToString(),
"0x" + Dump.ParseInt64(dict["Luid"]).ToString("x"),
"0x" + Dump.ParseInt64(dict["AuthenticationLuid"]).ToString("x"),
Utils.FormatSize(Dump.ParseInt32(dict["MemoryUsed"])),
Utils.FormatSize(Dump.ParseInt32(dict["MemoryAvailable"]))
);
using (var groups = token.GetChild("Groups"))
{
var groupsList = Dump.GetList(groups);
foreach (var group in groupsList)
{
var split = group.Split(';');
_tokenProps.DumpAddGroup(split[0], (SidAttributes)Dump.ParseInt32(split[1]));
}
}
using (var privileges = token.GetChild("Privileges"))
{
var privilegesList = Dump.GetList(privileges);
foreach (var privilege in privilegesList)
{
var split = privilege.Split(';');
_tokenProps.DumpAddPrivilege(
split[0],
split[1],
(SePrivilegeAttributes)Dump.ParseInt32(split[2])
);
}
}
token.Dispose();
}
private void LoadProperties()
{
var names = _processMo.ChildNames;
if (names.Contains("LargeIcon"))
{
using (var largeIcon = _processMo.GetChild("LargeIcon"))
pictureIcon.Image = Dump.GetIcon(largeIcon).ToBitmap();
}
else
{
pictureIcon.Image = Properties.Resources.Process.ToBitmap();
}
if (_item.VersionInfo != null)
{
textFileDescription.Text = _item.VersionInfo.FileDescription;
textFileCompany.Text = _item.VersionInfo.CompanyName;
textFileVersion.Text = _item.VersionInfo.FileVersion;
}
else
{
textFileDescription.Text = _item.Name;
textFileCompany.Text = string.Empty;
textFileVersion.Text = string.Empty;
}
textFileName.Text = _item.FileName;
if (_item.VerifyResult == VerifyResult.Trusted)
{
if (!string.IsNullOrEmpty(_item.VerifySignerName))
{
textFileCompany.Text = _item.VerifySignerName + " (verified)";
}
else
{
textFileCompany.Text += " (verified)";
}
}
textStartTime.Text = _item.CreateTime.ToString();
textCmdLine.Text = _item.CmdLine;
if (_item.HasParent)
{
if (_hw.Processes.ContainsKey(_item.ParentPid))
{
textParent.Text =
_hw.Processes[_item.ParentPid].Name + " (" + _item.ParentPid.ToString() + ")";
}
else
{
textParent.Text = "Non-existent Process (" + _item.ParentPid.ToString() + ")";
buttonInspectParent.Enabled = false;
}
}
else if (_item.ParentPid == -1)
{
textParent.Text = "No Parent Process";
buttonInspectParent.Enabled = false;
}
else
{
textParent.Text = "Non-existent Process (" + _item.ParentPid.ToString() + ")";
buttonInspectParent.Enabled = false;
}
using (var general = _processMo.GetChild("General"))
{
var dict = Dump.GetDictionary(general);
if (dict.ContainsKey("CurrentDirectory"))
{
textCurrentDirectory.Text = dict["CurrentDirectory"];
}
if (dict.ContainsKey("DepStatus"))
{
DepStatus status = (DepStatus)Dump.ParseInt32(dict["DepStatus"]);
if ((status & DepStatus.Enabled) != 0)
{
textDEP.Text = "Enabled";
}
else
{
textDEP.Text = "Disabled";
}
if ((status & DepStatus.Permanent) != 0)
{
textDEP.Text += ", Permanent";
}
if ((status & DepStatus.AtlThunkEmulationDisabled) != 0)
{
textDEP.Text += ", DEP-ATL thunk emulation disabled";
}
}
if (_hw.Architecture == OSArch.Amd64)
{
labelProcessType.Visible = true;
labelProcessTypeValue.Visible = true;
labelProcessTypeValue.Text = _item.IsWow64 ? "32-bit" : "64-bit";
}
else
{
labelProcessType.Visible = false;
labelProcessTypeValue.Visible = false;
}
}
}
private void LoadProcess(MemoryObject mo)
{
var names = mo.GetChildNames();
ProcessItem pitem;
if (!names.Contains("General"))
{
return;
}
IDictionary <string, string> generalDict;
using (var general = mo.GetChild("General"))
generalDict = Dump.GetDictionary(general);
pitem = new ProcessItem();
pitem.Pid = Dump.ParseInt32(generalDict["ProcessId"]);
pitem.Name = generalDict["Name"];
pitem.ParentPid = Dump.ParseInt32(generalDict["ParentPid"]);
if (generalDict.ContainsKey("HasParent"))
{
pitem.HasParent = Dump.ParseBool(generalDict["HasParent"]);
}
if (generalDict.ContainsKey("StartTime"))
{
pitem.CreateTime = Dump.ParseDateTime(generalDict["StartTime"]);
}
if (generalDict.ContainsKey("SessionId"))
{
pitem.SessionId = Dump.ParseInt32(generalDict["SessionId"]);
}
if (generalDict.ContainsKey("FileName"))
{
pitem.FileName = generalDict["FileName"];
}
if (generalDict.ContainsKey("FileDescription"))
{
pitem.VersionInfo = new ImageVersionInfo();
pitem.VersionInfo.FileDescription = generalDict["FileDescription"];
pitem.VersionInfo.CompanyName = generalDict["FileCompanyName"];
pitem.VersionInfo.FileVersion = generalDict["FileVersion"];
pitem.VersionInfo.FileName = pitem.FileName;
}
if (generalDict.ContainsKey("CommandLine"))
{
pitem.CmdLine = generalDict["CommandLine"];
}
if (generalDict.ContainsKey("IsPosix"))
{
pitem.IsPosix = Dump.ParseBool(generalDict["IsPosix"]);
}
if (generalDict.ContainsKey("IsWow64"))
{
pitem.IsWow64 = Dump.ParseBool(generalDict["IsWow64"]);
}
if (generalDict.ContainsKey("IsBeingDebugged"))
{
pitem.IsBeingDebugged = Dump.ParseBool(generalDict["IsBeingDebugged"]);
}
if (generalDict.ContainsKey("UserName"))
{
pitem.Username = generalDict["UserName"];
}
if (generalDict.ContainsKey("ElevationType"))
{
pitem.ElevationType = (TokenElevationType)Dump.ParseInt32(generalDict["ElevationType"]);
}
if (generalDict.ContainsKey("CpuUsage"))
{
pitem.CpuUsage = float.Parse(generalDict["CpuUsage"]);
}
if (generalDict.ContainsKey("JobName"))
{
pitem.JobName = generalDict["JobName"];
}
if (generalDict.ContainsKey("IsInJob"))
{
pitem.IsInJob = Dump.ParseBool(generalDict["IsInJob"]);
}
if (generalDict.ContainsKey("IsInSignificantJob"))
{
pitem.IsInSignificantJob = Dump.ParseBool(generalDict["IsInSignificantJob"]);
}
if (generalDict.ContainsKey("Integrity"))
{
pitem.Integrity = generalDict["Integrity"];
}
if (generalDict.ContainsKey("IntegrityLevel"))
{
pitem.IntegrityLevel = Dump.ParseInt32(generalDict["IntegrityLevel"]);
}
if (generalDict.ContainsKey("IsDotNet"))
{
pitem.IsDotNet = Dump.ParseBool(generalDict["IsDotNet"]);
}
if (generalDict.ContainsKey("IsPacked"))
{
pitem.IsPacked = Dump.ParseBool(generalDict["IsPacked"]);
}
if (generalDict.ContainsKey("VerifyResult"))
{
pitem.VerifyResult = (VerifyResult)Dump.ParseInt32(generalDict["VerifyResult"]);
}
if (generalDict.ContainsKey("VerifySignerName"))
{
pitem.VerifySignerName = generalDict["VerifySignerName"];
}
if (generalDict.ContainsKey("ImportFunctions"))
{
pitem.ImportFunctions = Dump.ParseInt32(generalDict["ImportFunctions"]);
}
if (generalDict.ContainsKey("ImportModules"))
{
pitem.ImportModules = Dump.ParseInt32(generalDict["ImportModules"]);
}
if (names.Contains("SmallIcon"))
{
using (var smallIcon = mo.GetChild("SmallIcon"))
pitem.Icon = Dump.GetIcon(smallIcon);
}
if (names.Contains("VmCounters"))
{
using (var vmCounters = mo.GetChild("VmCounters"))
pitem.Process.VirtualMemoryCounters = Dump.GetStruct <VmCountersEx64>(vmCounters).ToVmCountersEx();
}
if (names.Contains("IoCounters"))
{
using (var ioCounters = mo.GetChild("IoCounters"))
pitem.Process.IoCounters = Dump.GetStruct <IoCounters>(ioCounters);
}
_processes.Add(pitem.Pid, pitem);
treeProcesses.AddItem(pitem);
}