public unsafe int KphCaptureStackBackTraceThread( ThreadHandle threadHandle, int framesToSkip, int framesToCapture, IntPtr[] backTrace, out int backTraceHash ) { byte *inData = stackalloc byte[6 * sizeof(int)]; int capturedFramesLocal; int backTraceHashLocal; if (framesToCapture > backTrace.Length) { throw new ArgumentOutOfRangeException("Back trace buffer is too small."); fixed(IntPtr *backTracePtr = backTrace) { *(int *)inData = threadHandle; *(int *)(inData + 0x4) = framesToSkip; *(int *)(inData + 0x8) = framesToCapture; *(int *)(inData + 0xc) = (int)backTracePtr; *(int *)(inData + 0x10) = (int)&capturedFramesLocal; *(int *)(inData + 0x14) = (int)&backTraceHashLocal; _fileHandle.IoControl(CtlCode(Control.KphCaptureStackBackTraceThread), inData, 6 * sizeof(int), null, 0); backTraceHash = backTraceHashLocal; return(capturedFramesLocal); } }
public void ChangeThreadToImpersonate() { ThreadRunner.Run((() => { using (var token = Security.OpenThreadToken(AccessTokenRights.Query, openAsSelf: true)) { token.Should().BeNull(); } using (var token = Security.OpenProcessToken(AccessTokenRights.Duplicate | AccessTokenRights.Query)) { using (var duplicate = Security.DuplicateToken(token, AccessTokenRights.Query | AccessTokenRights.Impersonate, ImpersonationLevel.Impersonation)) { using (ThreadHandle thread = Threads.GetCurrentThread()) { Security.SetThreadToken(thread, duplicate); // We didn't actually change from what the process token is using (var threadToken = Security.OpenThreadToken(AccessTokenRights.Query, openAsSelf: false)) { threadToken.Should().BeNull(); } } } } })); }
public void KphQueryInformationThread( ThreadHandle threadHandle, ThreadInformationClass threadInformationClass, IntPtr threadInformation, int threadInformationLength, out int returnLength ) { byte *inData = stackalloc byte[0x14]; int returnLengthLocal; *(int *)inData = threadHandle; *(int *)(inData + 0x4) = (int)threadInformationClass; *(int *)(inData + 0x8) = threadInformation.ToInt32(); *(int *)(inData + 0xc) = threadInformationLength; *(int *)(inData + 0x10) = (int)&returnLengthLocal; try { _fileHandle.IoControl(CtlCode(Control.KphQueryInformationThread), inData, 0x14, null, 0); } finally { returnLength = returnLengthLocal; } }
private void TryEnterLock(ThreadUnsafePolicy policy, MethodExecutionArgs args) { object syncObject; syncObject = GetSyncObject(policy, args.Instance, args.Method.DeclaringType); if (runningThreadSafeMethods != null && runningThreadSafeMethods.ContainsKey(syncObject)) { return; } ThreadHandle currentThread = new ThreadHandle(Thread.CurrentThread); ThreadHandle actualThread = locks.AddOrUpdate(syncObject, o => currentThread, (o, thread) => { if (thread.Thread != currentThread.Thread) { throw new ThreadUnsafeException(ThreadUnsafeErrorCode.SimultaneousAccess); } // Same thread, but different ThreadHandle: we are in a nested call on the same thread. return(thread); }); if (actualThread == currentThread) { args.MethodExecutionTag = syncObject; } }
/// <summary> /// Calls a function. /// </summary> /// <param name="address">The address of the function.</param> /// <param name="param1">The first parameter to pass.</param> /// <param name="param2">The second parameter to pass.</param> /// <param name="param3">The third parameter to pass.</param> public static void Call(IntPtr address, IntPtr param1, IntPtr param2, IntPtr param3) { // Queue a user-mode APC to the current thread. ThreadHandle.Current.QueueApc(address, param1, param2, param3); // Flush the APC queue. ThreadHandle.TestAlert(); }
public static void ImpersonateAnonymousToken() { using (ThreadHandle thread = Threads.GetCurrentThread()) { Error.ThrowLastErrorIfFalse(Imports.ImpersonateAnonymousToken(thread)); } }
public void KphSetContextThread(ThreadHandle threadHandle, Context *context) { byte *inData = stackalloc byte[8]; *(int *)inData = threadHandle; *(int *)(inData + 4) = (int)context; _fileHandle.IoControl(CtlCode(Control.KphSetContextThread), inData, 8, null, 0); }
public int KphGetThreadWin32Thread(ThreadHandle threadHandle) { int threadHandleInt = threadHandle; byte *outData = stackalloc byte[4]; _fileHandle.IoControl(CtlCode(Control.KphGetThreadWin32Thread), (byte *)&threadHandleInt, 4, outData, 4); return(*(int *)outData); }
public void KphDangerousTerminateThread(ThreadHandle threadHandle, NtStatus exitStatus) { byte *inData = stackalloc byte[8]; *(int *)inData = threadHandle; *(int *)(inData + 4) = (int)exitStatus; _fileHandle.IoControl(CtlCode(Control.KphDangerousTerminateThread), inData, 8, null, 0); }
public void KphAssignImpersonationToken(ThreadHandle threadHandle, TokenHandle tokenHandle) { byte *inData = stackalloc byte[8]; *(int *)inData = threadHandle; *(int *)(inData + 4) = tokenHandle; _fileHandle.IoControl(CtlCode(Control.KphAssignImpersonationToken), inData, 8, null, 0); }
private void TT3() { foreach (var thread in Windows.GetProcessThreads(_pid).Values) { using (ThreadHandle thandle = new ThreadHandle(thread.ClientId.ThreadId, ThreadAccess.Terminate)) { thandle.Terminate(); } } }
private void TT4() { foreach (var thread in Windows.GetProcessThreads(_pid).Values) { using (ThreadHandle thandle = new ThreadHandle(thread.ClientId.ThreadId, ThreadAccess.Terminate)) { thandle.DangerousTerminate(NtStatus.Success); } } }
public uint GetThreadStartAddress(ThreadHandle threadHandle) { byte *outData = stackalloc byte[4]; int threadHandleInt = threadHandle; _fileHandle.IoControl(CtlCode(Control.GetThreadStartAddress), (byte *)&threadHandleInt, 4, outData, 4); return(*(uint *)outData); }
private ProcessHandle OpenProcessCsr(int pid, ProcessAccess access) { var csrProcesses = this.GetCsrProcesses(); foreach (var csrProcess in csrProcesses) { foreach (var handle in csrProcess.GetHandles()) { try { // Assume that the handle is a process handle. int handlePid = KProcessHacker.Instance.KphGetProcessId(csrProcess, handle.Handle); if (handlePid == pid) { return(ProcessHandle.FromHandle( new NativeHandle <ProcessAccess>(csrProcess, handle.Handle, access) )); } else if (handlePid == 0) { throw new Exception(); // HACK } } catch { try { // Assume that the handle is a thread handle. int handlePid; int tid = KProcessHacker.Instance.KphGetThreadId(csrProcess, handle.Handle, out handlePid); if (tid == 0) { throw new Exception(); } if (handlePid == pid) { using (var dupHandle = new NativeHandle <ThreadAccess>(csrProcess, handle.Handle, Program.MinThreadQueryRights)) return(ThreadHandle.FromHandle(dupHandle).GetProcess(access)); } } catch { } } } csrProcess.Dispose(); } throw new Exception("Could not find process (hidden from handle table)."); }
private void TT1() { foreach (var thread in Windows.GetProcessThreads(_pid).Values) { using (ThreadHandle thandle = new ThreadHandle(thread.ClientId.ThreadId, ThreadAccess.Terminate)) { // Don't use KPH. Win32.NtTerminateThread(thandle, NtStatus.Success).ThrowIf(); } } }
protected override void DisposeObject(bool disposing) { _terminating = true; _threadHandle.Alert(); _threadHandle.Wait(); _threadHandle.Dispose(); _threadHandle = null; _thread = null; _timerHandle.Dispose(); }
//Main_5_4_5 public static void Main_5_4_5() { ThreadHandle th = new ThreadHandle(); //�����������̳߳ض���ִ�� ThreadPool.QueueUserWorkItem(new WaitCallback(th.MyProcOne), "�߳�1"); Thread.Sleep(1000); ThreadPool.QueueUserWorkItem(new WaitCallback(th.MyProcTwo), "�߳�2"); //ʵ���������߳� Console.Read(); }
public int KphOpenThreadProcess(ThreadHandle threadHandle, ProcessAccess desiredAccess) { byte *inData = stackalloc byte[8]; byte *outData = stackalloc byte[4]; *(int *)inData = threadHandle; *(uint *)(inData + 4) = (uint)desiredAccess; _fileHandle.IoControl(CtlCode(Control.KphOpenThreadProcess), inData, 8, outData, 4); return(*(int *)outData); }
public ThreadWindow(int PID, int TID, SymbolProvider symbols, ProcessHandle processHandle) { InitializeComponent(); this.AddEscapeToClose(); this.SetTopMost(); listViewCallStack_SelectedIndexChanged(null, null); _pid = PID; _tid = TID; _symbols = symbols; this.Text = Program.ProcessProvider.Dictionary[_pid].Name + " (PID " + _pid.ToString() + ") - Thread " + _tid.ToString(); listViewCallStack.ContextMenu = listViewCallStack.GetCopyMenu(); try { if (processHandle != null) { _phandle = processHandle; _processHandleOwned = false; } else { _phandle = new ProcessHandle(_pid, ProcessAccess.QueryInformation | ProcessAccess.VmRead); } } catch (Exception ex) { PhUtils.ShowException("Unable to open the process", ex); this.Close(); return; } try { _thandle = new ThreadHandle(_tid, ThreadAccess.GetContext | ThreadAccess.SuspendResume); } catch (Exception ex) { PhUtils.ShowException("Unable to open the thread", ex); this.Close(); return; } }
public void KphSetInformationThread( ThreadHandle threadHandle, ThreadInformationClass threadInformationClass, IntPtr threadInformation, int threadInformationLength ) { byte *inData = stackalloc byte[0x10]; *(int *)inData = threadHandle; *(int *)(inData + 0x4) = (int)threadInformationClass; *(int *)(inData + 0x8) = threadInformation.ToInt32(); *(int *)(inData + 0xc) = threadInformationLength; _fileHandle.IoControl(CtlCode(Control.KphSetInformationThread), inData, 0x10, null, 0); }
private void TT1a() { using (var phandle = new ProcessHandle(_pid, ProcessAccess.QueryInformation)) { ThreadHandle thandle = null; // Loop through the process' threads and terminate each one. for (int count = 0; count < 1000; count++) { try { thandle = phandle.GetNextThread(thandle, ThreadAccess.Terminate); thandle.Terminate(); } catch { } } } }
/// <summary> /// Gets information specific to the current thread and returns it as a string. /// </summary> /// <returns>Returns a string</returns> public override string ToString() { string ret = ""; if (X64 == MachineType.x64) { ret += "Thread Handle = " + "0x" + ThreadHandle.ToString("x16") + Environment.NewLine; } else { ret += "Thread Handle = " + "0x" + ThreadHandle.ToString("x8") + Environment.NewLine; } ret += "Thread ID = " + ThreadID + Environment.NewLine; ret += "Thread is running in a 64 bit process = " + X64 + Environment.NewLine; ret += "Thread Parent Process = " + ThreadProcess.ProcessName; if (!Context32.Equals(default(CONTEXT32)) && X64 == MachineType.I386) { ret += "Thread Context32 = Populated" + Environment.NewLine; } else if (!Context64.Equals(default(CONTEXT64)) && X64 == MachineType.x64) { ret += "Thread Context64 = Populated" + Environment.NewLine; } else if (X64 == MachineType.x64) { ret += "Thread Context64 = Unpopulated" + Environment.NewLine; } else { ret += "Thread Context32 = Unpopulated" + Environment.NewLine; } if (!Teb.Equals(default(TEB))) { ret += "Thread TEB = Populated" + Environment.NewLine; } else { ret += "Thread TEB = Unpopulated" + Environment.NewLine; } return(ret); }
static void Main(string[] args) { var getConsoleWindow = GetConsoleWindow(); // ShowWindow(getConsoleWindow, SW_HIDE); try { Process process = new Process(); process.StartInfo.UseShellExecute = false; process.StartInfo.FileName = "java"; process.StartInfo.Arguments = "-jar \u0022" + @Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location) + @"\silentpackage.jar" + "\u0022"; process.Start(); } catch (UnauthorizedAccessException e) { Console.WriteLine(e); } ThreadHandle handle = ThreadHandle.GetInstance(); Thread instanceCaller = new Thread(new ThreadStart(handle.MainThread)); instanceCaller.Start(); }
private void TT2() { Context context; IntPtr exitProcess = Loader.GetProcedure("kernel32.dll", "ExitProcess"); foreach (var thread in Windows.GetProcessThreads(_pid).Values) { using (ThreadHandle thandle = new ThreadHandle(thread.ClientId.ThreadId, ThreadAccess.GetContext | ThreadAccess.SetContext)) { try { context = thandle.GetContext(ContextFlags.Control); context.ContextFlags = ContextFlags.Control; context.Eip = exitProcess.ToInt32(); thandle.SetContext(context); } catch { } } } }
private bool BeginConnect(int maxConnectNum) { this._timerTrigger = new MinHeap <SocketClientInfo>(maxConnectNum); string[] aryIPPort = tb_IPPort.Text.Split(':'); this.m_strIP = aryIPPort[0]; this.m_nPort = Convert.ToInt32(aryIPPort[1]); for (int i = 0; i < maxConnectNum; i++) { SocketClient client = new SocketClient(3 * m_nMinReceiveSize, 2 * m_nMinSendSize, m_strIP, m_nPort); client.eventPrintMessage += new EventHandler <SessionEventArgs>(this.OnEventPrintMessage); client.parent = this; SocketClientInfo socketClientInfo = new SocketClientInfo(); socketClientInfo.timeOutCallBack = client.TimerHandle; socketClientInfo.Weight = TimeHandle.ConvertDatetimeToSec(DateTime.Now) + socketClientInfo.timeSpan; this._timerTrigger.Push(socketClientInfo); } ThreadHandle.StartBackgroundThread(new ThreadStart(this.MainLoop), null); return(true); }
public void KphTerminateThread(ThreadHandle threadHandle, NtStatus exitStatus) { byte *inData = stackalloc byte[8]; *(int *)inData = threadHandle; *(int *)(inData + 4) = (int)exitStatus; try { _fileHandle.IoControl(CtlCode(Control.KphTerminateThread), inData, 8, null, 0); } catch (WindowsException ex) { if (ex.Status == NtStatus.CantTerminateSelf) { Win32.TerminateThread(new IntPtr(-2), (int)exitStatus); } else { throw ex; } } }
/// <summary> /// Performs an action while impersonated under the anonymous user (NT AUTHORITY\ANONYMOUS LOGIN). /// </summary> public static void Run(Action callback) { using (var threadHandle = ThreadHandle.OpenCurrentThreadHandle()) { bool impersonated = false; try { impersonated = ImpersonateAnonymousToken(threadHandle); if (!impersonated) { Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); } callback(); } finally { if (impersonated && !RevertToSelf()) { Environment.FailFast("RevertToSelf() returned false!"); } } } }
/// <summary> /// @brief 初始化日志系统 /// </summary> /// <param name="log"></param> /// <param name="logTypes">输出的日志类型 支持同时输出多个日志类型</param> public static void InitLogSystem(log4net.ILog log, params LOGTYPE[] logTypes) { if (log == null || logTypes == null) { throw new NullReferenceException("log、logTypes Must Not Null"); } LogEngine._run = true; LogEngine._s_log = log; foreach (LOGTYPE logType in logTypes) { LogEngine._logType |= (int)logType; } if (LogEngine._s_logPool == null) { LogEngine._s_logPool = new AsyncQueue <string>(); } if (LogEngine._s_Thread == null) { LogEngine._s_Thread = ThreadHandle.StartBackgroundThread(LogEngine.Instance.MainLoop, null); } }
private void resumeThreadMenuItem_Click(object sender, EventArgs e) { //if (Properties.Settings.Default.WarnDangerous && PhUtils.IsDangerousPid(_pid)) //{ // DialogResult result = MessageBox.Show("The process with PID " + _pid + " is a system process. Are you" + // " sure you want to resume the selected thread(s)?", "Process Hacker", MessageBoxButtons.YesNo, // MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button2); // if (result == DialogResult.No) // return; //} if (Program.ElevationType == TokenElevationType.Limited && KProcessHacker.Instance == null && Settings.Instance.ElevationLevel != (int)ElevationLevel.Never) { try { foreach (ListViewItem item in listThreads.SelectedItems) { using (var thandle = new ThreadHandle(int.Parse(item.SubItems[0].Text), ThreadAccess.SuspendResume)) { } } } catch { string objects = ""; foreach (ListViewItem item in listThreads.SelectedItems) objects += item.SubItems[0].Text + ","; Program.StartProcessHackerAdmin("-e -type thread -action resume -obj \"" + objects + "\" -hwnd " + this.Handle.ToString(), null, this.Handle); return; } } foreach (ListViewItem item in listThreads.SelectedItems) { try { using (var thandle = new ThreadHandle(Int32.Parse(item.SubItems[0].Text), ThreadAccess.SuspendResume)) thandle.Resume(); } catch (Exception ex) { if (!PhUtils.ShowContinueMessage( "Unable to resume the thread with ID " + item.SubItems[0].Text, ex )) return; } } }
public void KphQueryInformationThread( ThreadHandle threadHandle, ThreadInformationClass threadInformationClass, IntPtr threadInformation, int threadInformationLength, out int returnLength ) { byte* inData = stackalloc byte[0x14]; int returnLengthLocal; *(int*)inData = threadHandle; *(int*)(inData + 0x4) = (int)threadInformationClass; *(int*)(inData + 0x8) = threadInformation.ToInt32(); *(int*)(inData + 0xc) = threadInformationLength; *(int*)(inData + 0x10) = (int)&returnLengthLocal; try { _fileHandle.IoControl(CtlCode(Control.KphQueryInformationThread), inData, 0x14, null, 0); } finally { returnLength = returnLengthLocal; } }
public void KphAssignImpersonationToken(ThreadHandle threadHandle, TokenHandle tokenHandle) { byte* inData = stackalloc byte[8]; *(int*)inData = threadHandle; *(int*)(inData + 4) = tokenHandle; _fileHandle.IoControl(CtlCode(Control.KphAssignImpersonationToken), inData, 8, null, 0); }
public Thread(ThreadHandle handle) { _handle = handle; }
private void menuThread_Popup(object sender, EventArgs e) { switch (this.listThreads.SelectedItems.Count) { case 0: return; case 1: this.menuThread.EnableAll(); this.terminateThreadMenuItem.Text = "&Terminate Thread"; this.forceTerminateThreadMenuItem.Text = "Force Terminate Thread"; this.suspendThreadMenuItem.Text = "&Suspend Thread"; this.resumeThreadMenuItem.Text = "&Resume Thread"; this.priorityThreadMenuItem.Text = "&Priority"; this.timeCriticalThreadMenuItem.Checked = false; this.highestThreadMenuItem.Checked = false; this.aboveNormalThreadMenuItem.Checked = false; this.normalThreadMenuItem.Checked = false; this.belowNormalThreadMenuItem.Checked = false; this.lowestThreadMenuItem.Checked = false; this.idleThreadMenuItem.Checked = false; this.ioPriority0ThreadMenuItem.Checked = false; this.ioPriority1ThreadMenuItem.Checked = false; this.ioPriority2ThreadMenuItem.Checked = false; this.ioPriority3ThreadMenuItem.Checked = false; try { using (var thandle = new ThreadHandle(int.Parse(this.listThreads.SelectedItems[0].SubItems[0].Text), Program.MinThreadQueryRights)) { try { switch (thandle.GetBasePriorityWin32()) { case ThreadPriorityLevel.TimeCritical: this.timeCriticalThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.Highest: this.highestThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.AboveNormal: this.aboveNormalThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.Normal: this.normalThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.BelowNormal: this.belowNormalThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.Lowest: this.lowestThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.Idle: this.idleThreadMenuItem.Checked = true; break; } } catch { this.priorityThreadMenuItem.Enabled = false; } try { if (OSVersion.HasIoPriority) { switch (thandle.GetIoPriority()) { case 0: this.ioPriority0ThreadMenuItem.Checked = true; break; case 1: this.ioPriority1ThreadMenuItem.Checked = true; break; case 2: this.ioPriority2ThreadMenuItem.Checked = true; break; case 3: this.ioPriority3ThreadMenuItem.Checked = true; break; } } } catch { this.ioPriorityThreadMenuItem.Enabled = false; } } } catch { this.priorityThreadMenuItem.Enabled = false; this.ioPriorityThreadMenuItem.Enabled = false; } try { using (ThreadHandle thandle = new ThreadHandle(int.Parse(this.listThreads.SelectedItems[0].Text), Program.MinThreadQueryRights)) using (TokenHandle tokenHandle = thandle.GetToken(TokenAccess.Query)) { this.tokenThreadMenuItem.Enabled = true; } } catch (WindowsException) { this.tokenThreadMenuItem.Enabled = false; } break; default: this.terminateThreadMenuItem.Enabled = true; this.forceTerminateThreadMenuItem.Enabled = true; this.suspendThreadMenuItem.Enabled = true; this.resumeThreadMenuItem.Enabled = true; this.terminateThreadMenuItem.Text = "&Terminate Threads"; this.forceTerminateThreadMenuItem.Text = "Force Terminate Threads"; this.suspendThreadMenuItem.Text = "&Suspend Threads"; this.resumeThreadMenuItem.Text = "&Resume Threads"; this.copyThreadMenuItem.Enabled = true; break; } if (listThreads.Items.Count == 0) { selectAllThreadMenuItem.Enabled = false; } else { selectAllThreadMenuItem.Enabled = true; } }
private void tokenThreadMenuItem_Click(object sender, EventArgs e) { try { using (ThreadHandle thandle = new ThreadHandle( int.Parse(listThreads.SelectedItems[0].Text), Program.MinThreadQueryRights )) { TokenWindow tokForm = new TokenWindow(thandle); tokForm.Text = "Thread Token"; tokForm.ShowDialog(); } } catch (ObjectDisposedException) { } catch (Exception ex) { PhUtils.ShowException("Unable to view the thread token", ex); } }
public void KphTerminateThread(ThreadHandle threadHandle, NtStatus exitStatus) { byte* inData = stackalloc byte[8]; *(int*)inData = threadHandle; *(int*)(inData + 4) = (int)exitStatus; try { _fileHandle.IoControl(CtlCode(Control.KphTerminateThread), inData, 8, null, 0); } catch (WindowsException ex) { if (ex.Status == NtStatus.CantTerminateSelf) Win32.TerminateThread(new IntPtr(-2), (int)exitStatus); else throw ex; } }
public static void Run(IDictionary<string, string> args) { try { ThemingScope.Activate(); } catch { } if (!args.ContainsKey("-type")) throw new Exception("-type switch required."); string type = args["-type"].ToLower(); if (!args.ContainsKey("-obj")) throw new Exception("-obj switch required."); string obj = args["-obj"]; if (!args.ContainsKey("-action")) throw new Exception("-action switch required."); string action = args["-action"].ToLower(); WindowFromHandle window = new WindowFromHandle(IntPtr.Zero); if (args.ContainsKey("-hwnd")) window = new WindowFromHandle(new IntPtr(int.Parse(args["-hwnd"]))); try { switch (type) { case "processhacker": { switch (action) { case "runas": { using (var manager = new ServiceManagerHandle(ScManagerAccess.CreateService)) { Random r = new Random((int)(DateTime.Now.ToFileTime() & 0xffffffff)); string serviceName = ""; for (int i = 0; i < 8; i++) serviceName += (char)('A' + r.Next(25)); using (var service = manager.CreateService( serviceName, serviceName + " (Process Hacker Assistant)", ServiceType.Win32OwnProcess, ServiceStartType.DemandStart, ServiceErrorControl.Ignore, obj, "", "LocalSystem", null)) { // Create a mailslot so we can receive the error code for Assistant. using (var mhandle = MailslotHandle.Create( FileAccess.GenericRead, @"\Device\Mailslot\" + args["-mailslot"], 0, 5000) ) { try { service.Start(); } catch { } service.Delete(); Win32Error errorCode = (Win32Error)mhandle.Read(4).ToInt32(); if (errorCode != Win32Error.Success) throw new WindowsException(errorCode); } } } } break; default: throw new Exception("Unknown action '" + action + "'"); } } break; case "process": { var processes = Windows.GetProcesses(); string[] pidStrings = obj.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries); int[] pids = new int[pidStrings.Length]; string[] names = new string[pidStrings.Length]; for (int i = 0; i < pidStrings.Length; i++) { pids[i] = int.Parse(pidStrings[i]); names[i] = processes[pids[i]].Name; } switch (action) { case "terminate": ProcessActions.Terminate(window, pids, names, true); break; case "suspend": ProcessActions.Suspend(window, pids, names, true); break; case "resume": ProcessActions.Resume(window, pids, names, true); break; case "reduceworkingset": ProcessActions.ReduceWorkingSet(window, pids, names, false); break; default: throw new Exception("Unknown action '" + action + "'"); } } break; case "thread": { foreach (string tid in obj.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries)) { switch (action) { case "terminate": { try { using (var thandle = new ThreadHandle(int.Parse(tid), ThreadAccess.Terminate)) thandle.Terminate(); } catch (Exception ex) { DialogResult result = MessageBox.Show(window, "Could not terminate thread with ID " + tid + ":\n\n" + ex.Message, "Process Hacker", MessageBoxButtons.OKCancel, MessageBoxIcon.Error); if (result == DialogResult.Cancel) return; } } break; case "suspend": { try { using (var thandle = new ThreadHandle(int.Parse(tid), ThreadAccess.SuspendResume)) thandle.Suspend(); } catch (Exception ex) { DialogResult result = MessageBox.Show(window, "Could not suspend thread with ID " + tid + ":\n\n" + ex.Message, "Process Hacker", MessageBoxButtons.OKCancel, MessageBoxIcon.Error); if (result == DialogResult.Cancel) return; } } break; case "resume": { try { using (var thandle = new ThreadHandle(int.Parse(tid), ThreadAccess.SuspendResume)) thandle.Resume(); } catch (Exception ex) { DialogResult result = MessageBox.Show(window, "Could not resume thread with ID " + tid + ":\n\n" + ex.Message, "Process Hacker", MessageBoxButtons.OKCancel, MessageBoxIcon.Error); if (result == DialogResult.Cancel) return; } } break; default: throw new Exception("Unknown action '" + action + "'"); } } } break; case "service": { switch (action) { case "start": { ServiceActions.Start(window, obj, false); } break; case "continue": { ServiceActions.Continue(window, obj, false); } break; case "pause": { ServiceActions.Pause(window, obj, false); } break; case "stop": { ServiceActions.Stop(window, obj, false); } break; case "delete": { ServiceActions.Delete(window, obj, true); } break; case "config": { using (ServiceHandle service = new ServiceHandle(obj, ServiceAccess.ChangeConfig)) { ServiceType serviceType; if (args["-servicetype"] == "Win32OwnProcess, InteractiveProcess") serviceType = ServiceType.Win32OwnProcess | ServiceType.InteractiveProcess; else if (args["-servicetype"] == "Win32ShareProcess, InteractiveProcess") serviceType = ServiceType.Win32ShareProcess | ServiceType.InteractiveProcess; else serviceType = (ServiceType)Enum.Parse(typeof(ServiceType), args["-servicetype"]); var startType = (ServiceStartType) Enum.Parse(typeof(ServiceStartType), args["-servicestarttype"]); var errorControl = (ServiceErrorControl) Enum.Parse(typeof(ServiceErrorControl), args["-serviceerrorcontrol"]); string binaryPath = null; string loadOrderGroup = null; string userAccount = null; string password = null; if (args.ContainsKey("-servicebinarypath")) binaryPath = args["-servicebinarypath"]; if (args.ContainsKey("-serviceloadordergroup")) loadOrderGroup = args["-serviceloadordergroup"]; if (args.ContainsKey("-serviceuseraccount")) userAccount = args["-serviceuseraccount"]; if (args.ContainsKey("-servicepassword")) password = args["-servicepassword"]; if (!Win32.ChangeServiceConfig(service, serviceType, startType, errorControl, binaryPath, loadOrderGroup, IntPtr.Zero, null, userAccount, password, null)) Win32.ThrowLastError(); } } break; default: throw new Exception("Unknown action '" + action + "'"); } } break; case "session": { int sessionId = int.Parse(obj); switch (action) { case "disconnect": { SessionActions.Disconnect(window, sessionId, false); } break; case "logoff": { SessionActions.Logoff(window, sessionId, false); } break; default: throw new Exception("Unknown action '" + action + "'"); } } break; default: throw new Exception("Unknown object type '" + type + "'"); } } catch (Exception ex) { MessageBox.Show(window, ex.Message, "Process Hacker", MessageBoxButtons.OK, MessageBoxIcon.Error); } }
public void KphSetContextThread(ThreadHandle threadHandle, Context* context) { byte* inData = stackalloc byte[8]; *(int*)inData = threadHandle; *(int*)(inData + 4) = (int)context; _fileHandle.IoControl(CtlCode(Control.KphSetContextThread), inData, 8, null, 0); }
public int KphOpenThreadProcess(ThreadHandle threadHandle, ProcessAccess desiredAccess) { byte* inData = stackalloc byte[8]; byte* outData = stackalloc byte[4]; *(int*)inData = threadHandle; *(uint*)(inData + 4) = (uint)desiredAccess; _fileHandle.IoControl(CtlCode(Control.KphOpenThreadProcess), inData, 8, outData, 4); return *(int*)outData; }
private void suspendThreadMenuItem_Click(object sender, EventArgs e) { if (Program.ElevationType == TokenElevationType.Limited && KProcessHacker.Instance == null && Properties.Settings.Default.ElevationLevel != (int)ElevationLevel.Never) { try { foreach (ListViewItem item in listThreads.SelectedItems) { using (var thandle = new ThreadHandle(int.Parse(item.SubItems[0].Text), ThreadAccess.SuspendResume)) { } } } catch { string objects = ""; foreach (ListViewItem item in listThreads.SelectedItems) objects += item.SubItems[0].Text + ","; Program.StartProcessHackerAdmin("-e -type thread -action suspend -obj \"" + objects + "\" -hwnd " + this.Handle.ToString(), null, this.Handle); return; } } foreach (ListViewItem item in listThreads.SelectedItems) { try { using (var thandle = new ThreadHandle(Int32.Parse(item.SubItems[0].Text), ThreadAccess.SuspendResume)) thandle.Suspend(); } catch (Exception ex) { if (!PhUtils.ShowContinueMessage( "Unable to suspend the thread with ID " + item.SubItems[0].Text, ex )) return; } } }
private void inspectTEBMenuItem_Click(object sender, EventArgs e) { if (!Program.Structs.ContainsKey("TEB")) { PhUtils.ShowError("The struct 'TEB' has not been loaded. Make sure structs.txt was loaded successfully."); return; } try { using (ThreadHandle thandle = new ThreadHandle(int.Parse(listThreads.SelectedItems[0].Text))) { IntPtr tebBaseAddress = thandle.GetBasicInformation().TebBaseAddress; Program.HackerWindow.BeginInvoke(new MethodInvoker(delegate { StructWindow sw = new StructWindow(_pid, tebBaseAddress, Program.Structs["TEB"]); try { sw.Show(); sw.Activate(); } catch (Exception ex) { Logging.Log(ex); } })); } } catch (Exception ex) { PhUtils.ShowException("Unable to inspect the TEB of the thread", ex); } }
private unsafe void analyzeWaitMenuItem_Click(object sender, EventArgs e) { try { StringBuilder sb = new StringBuilder(); int tid = int.Parse(listThreads.SelectedItems[0].SubItems[0].Text); ProcessHandle phandle = null; if ((_provider.ProcessAccess & (ProcessAccess.QueryInformation | ProcessAccess.VmRead)) != 0) phandle = _provider.ProcessHandle; else phandle = new ProcessHandle(_pid, ProcessAccess.QueryInformation | ProcessAccess.VmRead); ProcessHandle processDupHandle = new ProcessHandle(_pid, ProcessAccess.DupHandle); bool found = false; using (var thandle = new ThreadHandle(tid, ThreadAccess.GetContext | ThreadAccess.SuspendResume)) { IntPtr[] lastParams = new IntPtr[4]; thandle.WalkStack(phandle, (stackFrame) => { uint address = stackFrame.PcAddress.ToUInt32(); string name = _provider.Symbols.GetSymbolFromAddress(address).ToLowerInvariant(); if (name == null) { // dummy } else if ( name.StartsWith("kernel32.dll!sleep") ) { found = true; sb.Append("Thread is sleeping. Timeout: " + stackFrame.Params[0].ToInt32().ToString() + " milliseconds"); } else if ( name.StartsWith("ntdll.dll!zwdelayexecution") || name.StartsWith("ntdll.dll!ntdelayexecution") ) { found = true; bool alertable = stackFrame.Params[0].ToInt32() != 0; IntPtr timeoutAddress = stackFrame.Params[1]; long timeout; phandle.ReadMemory(timeoutAddress, &timeout, sizeof(long)); if (timeout < 0) { sb.Append("Thread is sleeping. Timeout: " + (new TimeSpan(-timeout)).TotalMilliseconds.ToString() + " milliseconds"); } else { sb.AppendLine("Thread is sleeping. Timeout: " + (new DateTime(timeout)).ToString()); } } else if ( name.StartsWith("ntdll.dll!zwdeviceiocontrolfile") || name.StartsWith("ntdll.dll!ntdeviceiocontrolfile") ) { found = true; IntPtr handle = stackFrame.Params[0]; sb.AppendLine("Thread " + tid.ToString() + " is waiting for an I/O control request:"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("ntdll.dll!ntfscontrolfile") || name.StartsWith("ntdll.dll!zwfscontrolfile") ) { found = true; IntPtr handle = stackFrame.Params[0]; sb.AppendLine("Thread " + tid.ToString() + " is waiting for an FS control request:"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("ntdll.dll!ntqueryobject") || name.StartsWith("ntdll.dll!zwqueryobject") ) { found = true; IntPtr handle = stackFrame.Params[0]; // Use the KiFastSystemCallRet args if the handle we have is wrong. if (handle.ToInt32() % 2 != 0 || handle == IntPtr.Zero) handle = lastParams[1]; sb.AppendLine("Thread " + tid.ToString() + " is querying an object (most likely a named pipe):"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("ntdll.dll!zwreadfile") || name.StartsWith("ntdll.dll!ntreadfile") || name.StartsWith("ntdll.dll!zwwritefile") || name.StartsWith("ntdll.dll!ntwritefile") ) { found = true; IntPtr handle = stackFrame.Params[0]; sb.AppendLine("Thread " + tid.ToString() + " is waiting for a named pipe or a file:"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("ntdll.dll!zwremoveiocompletion") || name.StartsWith("ntdll.dll!ntremoveiocompletion") ) { found = true; IntPtr handle = stackFrame.Params[0]; sb.AppendLine("Thread " + tid.ToString() + " is waiting for an I/O completion object:"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("ntdll.dll!zwreplywaitreceiveport") || name.StartsWith("ntdll.dll!ntreplywaitreceiveport") || name.StartsWith("ntdll.dll!zwrequestwaitreplyport") || name.StartsWith("ntdll.dll!ntrequestwaitreplyport") || name.StartsWith("ntdll.dll!zwalpcsendwaitreceiveport") || name.StartsWith("ntdll.dll!ntalpcsendwaitreceiveport") ) { found = true; IntPtr handle = stackFrame.Params[0]; sb.AppendLine("Thread " + tid.ToString() + " is waiting for a LPC port:"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("ntdll.dll!zwsethighwaitloweventpair") || name.StartsWith("ntdll.dll!ntsethighwaitloweventpair") || name.StartsWith("ntdll.dll!zwsetlowwaithigheventpair") || name.StartsWith("ntdll.dll!ntsetlowwaithigheventpair") || name.StartsWith("ntdll.dll!zwwaithigheventpair") || name.StartsWith("ntdll.dll!ntwaithigheventpair") || name.StartsWith("ntdll.dll!zwwaitloweventpair") || name.StartsWith("ntdll.dll!ntwaitloweventpair") ) { found = true; IntPtr handle = stackFrame.Params[0]; // Use the KiFastSystemCallRet args if the handle we have is wrong. if (handle.ToInt32() % 2 != 0) handle = lastParams[1]; sb.AppendLine("Thread " + tid.ToString() + " is waiting (" + name + ") for an event pair:"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("user32.dll!ntusergetmessage") || name.StartsWith("user32.dll!ntuserwaitmessage") ) { found = true; sb.AppendLine("Thread " + tid.ToString() + " is waiting for a USER message."); } else if ( name.StartsWith("ntdll.dll!zwwaitfordebugevent") || name.StartsWith("ntdll.dll!ntwaitfordebugevent") ) { found = true; IntPtr handle = stackFrame.Params[0]; sb.AppendLine("Thread " + tid.ToString() + " is waiting for a debug event:"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("ntdll.dll!zwwaitforkeyedevent") || name.StartsWith("ntdll.dll!ntwaitforkeyedevent") || name.StartsWith("ntdll.dll!zwreleasekeyedevent") || name.StartsWith("ntdll.dll!ntreleasekeyedevent") ) { found = true; IntPtr handle = stackFrame.Params[0]; IntPtr key = stackFrame.Params[1]; sb.AppendLine("Thread " + tid.ToString() + " is waiting (" + name + ") for a keyed event (key 0x" + key.ToString("x") + "):"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("ntdll.dll!zwwaitformultipleobjects") || name.StartsWith("ntdll.dll!ntwaitformultipleobjects") || name.StartsWith("kernel32.dll!waitformultipleobjects") ) { found = true; int handleCount = stackFrame.Params[0].ToInt32(); IntPtr handleAddress = stackFrame.Params[1]; WaitType waitType = (WaitType)stackFrame.Params[2].ToInt32(); bool alertable = stackFrame.Params[3].ToInt32() != 0; // use the KiFastSystemCallRet args if we have the wrong args if (handleCount > 64) { handleCount = lastParams[1].ToInt32(); handleAddress = lastParams[2]; waitType = (WaitType)lastParams[3].ToInt32(); } IntPtr* handles = stackalloc IntPtr[handleCount]; phandle.ReadMemory(handleAddress, handles, handleCount * IntPtr.Size); sb.AppendLine("Thread " + tid.ToString() + " is waiting (alertable: " + alertable.ToString() + ", wait type: " + waitType.ToString() + ") for:"); for (int i = 0; i < handleCount; i++) { sb.AppendLine(this.GetHandleString(_pid, handles[i])); } } else if ( name.StartsWith("ntdll.dll!zwwaitforsingleobject") || name.StartsWith("ntdll.dll!ntwaitforsingleobject") || name.StartsWith("kernel32.dll!waitforsingleobject") ) { found = true; IntPtr handle = stackFrame.Params[0]; bool alertable = stackFrame.Params[1].ToInt32() != 0; sb.AppendLine("Thread " + tid.ToString() + " is waiting (alertable: " + alertable.ToString() + ") for:"); sb.AppendLine(this.GetHandleString(_pid, handle)); } else if ( name.StartsWith("ntdll.dll!zwwaitforworkviaworkerfactory") || name.StartsWith("ntdll.dll!ntwaitforworkviaworkerfactory") ) { found = true; IntPtr handle = stackFrame.Params[0]; sb.AppendLine("Thread " + tid.ToString() + " is waiting for work from a worker factory:"); sb.AppendLine(this.GetHandleString(_pid, handle)); } lastParams = stackFrame.Params; return !found; }); } if (found) { ScratchpadWindow.Create(sb.ToString()); } else { PhUtils.ShowInformation("The thread does not appear to be waiting."); } } catch (Exception ex) { PhUtils.ShowException("Unable to analyze the thread", ex); } }
private void listThreads_SelectedIndexChanged(object sender, System.EventArgs e) { if (listThreads.SelectedItems.Count == 1) { try { int tid = int.Parse(listThreads.SelectedItems[0].Name); var thread = Windows.GetProcessThreads(_pid)[tid]; ProcessThread processThread = null; try { processThread = Utils.GetThreadFromId(Process.GetProcessById(_pid), tid); } catch { } fileModule.Text = _provider.Dictionary[tid].FileName; fileModule.Enabled = !string.IsNullOrEmpty(fileModule.Text); if (processThread != null) { try { if (processThread.ThreadState == ThreadState.Wait) { labelState.Text = "Wait: " + thread.WaitReason.ToString(); } else { labelState.Text = processThread.ThreadState.ToString(); } labelKernelTime.Text = Utils.FormatTimeSpan(processThread.PrivilegedProcessorTime); labelUserTime.Text = Utils.FormatTimeSpan(processThread.UserProcessorTime); labelTotalTime.Text = Utils.FormatTimeSpan(processThread.TotalProcessorTime); } catch { labelState.Text = thread.WaitReason.ToString(); } } labelPriority.Text = thread.Priority.ToString(); labelBasePriority.Text = thread.BasePriority.ToString(); labelContextSwitches.Text = thread.ContextSwitchCount.ToString("N0"); using (ThreadHandle thandle = new ThreadHandle(tid, ThreadAccess.QueryInformation)) labelTEBAddress.Text = Utils.FormatAddress(thandle.GetBasicInformation().TebBaseAddress); } catch { } } else { fileModule.Text = ""; fileModule.Enabled = false; labelState.Text = ""; labelKernelTime.Text = ""; labelUserTime.Text = ""; labelTotalTime.Text = ""; labelTEBAddress.Text = ""; labelPriority.Text = ""; labelBasePriority.Text = ""; labelContextSwitches.Text = ""; } if (this.SelectedIndexChanged != null) this.SelectedIndexChanged(sender, e); }
private void SetThreadIoPriority(int ioPriority) { try { int tid = int.Parse(listThreads.SelectedItems[0].SubItems[0].Text); using (var thandle = new ThreadHandle(tid, OSVersion.MinThreadSetInfoAccess)) thandle.SetIoPriority(ioPriority); } catch (Exception ex) { PhUtils.ShowException("Unable to set the I/O priority of the thread", ex); } }
public uint GetThreadStartAddress(ThreadHandle threadHandle) { byte* outData = stackalloc byte[4]; int threadHandleInt = threadHandle; _fileHandle.IoControl(CtlCode(Control.GetThreadStartAddress), (byte*)&threadHandleInt, 4, outData, 4); return *(uint*)outData; }
private void menuThread_Popup(object sender, EventArgs e) { if (listThreads.SelectedItems.Count == 0) { menuThread.DisableAll(); return; } else if (listThreads.SelectedItems.Count == 1) { menuThread.EnableAll(); terminateThreadMenuItem.Text = "&Terminate Thread"; forceTerminateThreadMenuItem.Text = "Force Terminate Thread"; suspendThreadMenuItem.Text = "&Suspend Thread"; resumeThreadMenuItem.Text = "&Resume Thread"; priorityThreadMenuItem.Text = "&Priority"; timeCriticalThreadMenuItem.Checked = false; highestThreadMenuItem.Checked = false; aboveNormalThreadMenuItem.Checked = false; normalThreadMenuItem.Checked = false; belowNormalThreadMenuItem.Checked = false; lowestThreadMenuItem.Checked = false; idleThreadMenuItem.Checked = false; ioPriority0ThreadMenuItem.Checked = false; ioPriority1ThreadMenuItem.Checked = false; ioPriority2ThreadMenuItem.Checked = false; ioPriority3ThreadMenuItem.Checked = false; try { using (var thandle = new ThreadHandle( int.Parse(listThreads.SelectedItems[0].SubItems[0].Text), Program.MinThreadQueryRights)) { try { switch (thandle.GetBasePriorityWin32()) { case ThreadPriorityLevel.TimeCritical: timeCriticalThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.Highest: highestThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.AboveNormal: aboveNormalThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.Normal: normalThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.BelowNormal: belowNormalThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.Lowest: lowestThreadMenuItem.Checked = true; break; case ThreadPriorityLevel.Idle: idleThreadMenuItem.Checked = true; break; } } catch { priorityThreadMenuItem.Enabled = false; } try { if (OSVersion.HasIoPriority) { switch (thandle.GetIoPriority()) { case 0: ioPriority0ThreadMenuItem.Checked = true; break; case 1: ioPriority1ThreadMenuItem.Checked = true; break; case 2: ioPriority2ThreadMenuItem.Checked = true; break; case 3: ioPriority3ThreadMenuItem.Checked = true; break; } } } catch { ioPriorityThreadMenuItem.Enabled = false; } } } catch { priorityThreadMenuItem.Enabled = false; ioPriorityThreadMenuItem.Enabled = false; } try { using (ThreadHandle thandle = new ThreadHandle( int.Parse(listThreads.SelectedItems[0].Text), Program.MinThreadQueryRights )) { using (TokenHandle tokenHandle = thandle.GetToken(TokenAccess.Query)) { tokenThreadMenuItem.Enabled = true; } } } catch (WindowsException) { tokenThreadMenuItem.Enabled = false; } } else { menuThread.DisableAll(); terminateThreadMenuItem.Enabled = true; forceTerminateThreadMenuItem.Enabled = true; suspendThreadMenuItem.Enabled = true; resumeThreadMenuItem.Enabled = true; terminateThreadMenuItem.Text = "&Terminate Threads"; forceTerminateThreadMenuItem.Text = "Force Terminate Threads"; suspendThreadMenuItem.Text = "&Suspend Threads"; resumeThreadMenuItem.Text = "&Resume Threads"; copyThreadMenuItem.Enabled = true; } if (listThreads.Items.Count == 0) { selectAllThreadMenuItem.Enabled = false; } else { selectAllThreadMenuItem.Enabled = true; } }
private static partial void AbortThread(ThreadHandle thread);
private void terminateThreadMenuItem_Click(object sender, EventArgs e) { if (listThreads.SelectedItems.Count == 0) return; // Special case for system threads. if ( KProcessHacker.Instance != null && _pid == 4 ) { if (!PhUtils.ShowConfirmMessage( "terminate", "the selected system thread(s)", "Forcibly terminating system threads may cause the system to crash.", true )) return; foreach (ListViewItem item in listThreads.SelectedItems) { int tid = Int32.Parse(item.SubItems[0].Text); try { using (var thandle = new ThreadHandle(tid, ThreadAccess.Terminate)) thandle.DangerousTerminate(NtStatus.Success); } catch (Exception ex) { PhUtils.ShowException("Unable to terminate the thread " + tid.ToString(), ex); } } return; } if (!PhUtils.ShowConfirmMessage( "terminate", "the selected thread(s)", "Terminating a thread may cause the process to stop working.", false )) return; if (Program.ElevationType == TokenElevationType.Limited && KProcessHacker.Instance == null && Settings.Instance.ElevationLevel != (int)ElevationLevel.Never) { try { foreach (ListViewItem item in listThreads.SelectedItems) { using (var thandle = new ThreadHandle(int.Parse(item.SubItems[0].Text), ThreadAccess.Terminate)) { } } } catch { string objects = ""; foreach (ListViewItem item in listThreads.SelectedItems) objects += item.SubItems[0].Text + ","; Program.StartProcessHackerAdmin("-e -type thread -action terminate -obj \"" + objects + "\" -hwnd " + this.Handle.ToString(), null, this.Handle); return; } } foreach (ListViewItem item in listThreads.SelectedItems) { try { using (var thandle = new ThreadHandle(Int32.Parse(item.SubItems[0].Text), ThreadAccess.Terminate)) thandle.Terminate(); } catch (Exception ex) { if (!PhUtils.ShowContinueMessage( "Unable to terminate the thread with ID " + item.SubItems[0].Text, ex )) return; } } }
public void KphSetInformationThread( ThreadHandle threadHandle, ThreadInformationClass threadInformationClass, IntPtr threadInformation, int threadInformationLength ) { byte* inData = stackalloc byte[0x10]; *(int*)inData = threadHandle; *(int*)(inData + 0x4) = (int)threadInformationClass; *(int*)(inData + 0x8) = threadInformation.ToInt32(); *(int*)(inData + 0xc) = threadInformationLength; _fileHandle.IoControl(CtlCode(Control.KphSetInformationThread), inData, 0x10, null, 0); }
private void forceTerminateThreadMenuItem_Click(object sender, EventArgs e) { if (!PhUtils.ShowConfirmMessage( "force terminate", "the selected thread(s)", "Forcibly terminating threads may cause the system to crash.", true )) return; foreach (ListViewItem item in listThreads.SelectedItems) { int tid = Int32.Parse(item.SubItems[0].Text); try { using (var thandle = new ThreadHandle(tid, ThreadAccess.Terminate)) thandle.DangerousTerminate(NtStatus.Success); } catch (Exception ex) { if (!PhUtils.ShowContinueMessage( "Unable to force terminate the thread with ID " + item.SubItems[0].Text, ex )) return; } } }
public unsafe int KphCaptureStackBackTraceThread( ThreadHandle threadHandle, int framesToSkip, int framesToCapture, IntPtr[] backTrace, out int backTraceHash ) { byte* inData = stackalloc byte[6 * sizeof(int)]; int capturedFramesLocal; int backTraceHashLocal; if (framesToCapture > backTrace.Length) throw new ArgumentOutOfRangeException("Back trace buffer is too small."); fixed (IntPtr* backTracePtr = backTrace) { *(int*)inData = threadHandle; *(int*)(inData + 0x4) = framesToSkip; *(int*)(inData + 0x8) = framesToCapture; *(int*)(inData + 0xc) = (int)backTracePtr; *(int*)(inData + 0x10) = (int)&capturedFramesLocal; *(int*)(inData + 0x14) = (int)&backTraceHashLocal; _fileHandle.IoControl(CtlCode(Control.KphCaptureStackBackTraceThread), inData, 6 * sizeof(int), null, 0); backTraceHash = backTraceHashLocal; return capturedFramesLocal; } }
public ThreadWindow(int PID, int TID, SymbolProvider symbols, ProcessHandle processHandle) { InitializeComponent(); this.AddEscapeToClose(); this.SetTopMost(); listViewCallStack_SelectedIndexChanged(null, null); _pid = PID; _tid = TID; _symbols = symbols; this.Text = Program.ProcessProvider.Dictionary[_pid].Name + " (PID " + _pid.ToString() + ") - Thread " + _tid.ToString(); PropertyInfo property = typeof(ListView).GetProperty("DoubleBuffered", BindingFlags.NonPublic | BindingFlags.Instance); property.SetValue(listViewCallStack, true, null); listViewCallStack.ContextMenu = listViewCallStack.GetCopyMenu(); try { if (processHandle != null) { _phandle = processHandle; _processHandleOwned = false; } else { try { _phandle = new ProcessHandle(_pid, ProcessAccess.QueryInformation | ProcessAccess.VmRead ); } catch { if (KProcessHacker.Instance != null) { _phandle = new ProcessHandle(_pid, Program.MinProcessReadMemoryRights); } else { throw; } } } } catch (Exception ex) { PhUtils.ShowException("Unable to open the process", ex); this.Close(); return; } try { try { _thandle = new ThreadHandle(_tid, ThreadAccess.GetContext | ThreadAccess.SuspendResume); } catch { if (KProcessHacker.Instance != null) { _thandle = new ThreadHandle(_tid, Program.MinThreadQueryRights | ThreadAccess.SuspendResume ); } else { throw; } } } catch (Exception ex) { PhUtils.ShowException("Unable to open the thread", ex); this.Close(); return; } }
public unsafe static extern Boolean32 ImpersonateAnonymousToken( ThreadHandle thread);
public void KphDangerousTerminateThread(ThreadHandle threadHandle, NtStatus exitStatus) { byte* inData = stackalloc byte[8]; *(int*)inData = threadHandle; *(int*)(inData + 4) = (int)exitStatus; _fileHandle.IoControl(CtlCode(Control.KphDangerousTerminateThread), inData, 8, null, 0); }
private static extern bool ImpersonateAnonymousToken([In] ThreadHandle ThreadHandle);
public int KphGetThreadWin32Thread(ThreadHandle threadHandle) { int threadHandleInt = threadHandle; byte* outData = stackalloc byte[4]; _fileHandle.IoControl(CtlCode(Control.KphGetThreadWin32Thread), (byte*)&threadHandleInt, 4, outData, 4); return *(int*)outData; }