public TreePath RefreshTreePath() { ProcessNode currentNode = this; int i = _processNodeTreePathMaxDepth; if (_processNodeTreePathBuffer == null) { _processNodeTreePathBuffer = new ProcessNode[_processNodeTreePathMaxDepth]; } while (i > 0 && currentNode != null) { _processNodeTreePathBuffer[--i] = currentNode; currentNode = currentNode.Parent; } ProcessNode[] path; path = new ProcessNode[_processNodeTreePathMaxDepth - i]; Array.Copy(_processNodeTreePathBuffer, i, path, 0, _processNodeTreePathMaxDepth - i); _treePath = new TreePath(path); return(_treePath); }
public void RefreshItems() { lock (_listLock) { foreach (TreeNodeAdv node in treeProcesses.AllNodes) { try { ProcessNode pNode = this.FindNode(node); // May not be in the dictionary if the process has terminated but // the node is still being highlighted. if (_provider.Dictionary.ContainsKey(pNode.Pid)) { ProcessItem item = _provider.Dictionary[pNode.Pid]; node.BackColor = this.GetProcessColor(item); } } catch (Exception ex) { Logging.Log(ex); } } } }
public void Modify(ProcessItem oldItem, ProcessItem newItem) { ProcessNode node = _processes[newItem.Pid]; node.ProcessItem = newItem; //if (node.ProcessItem.HasParent && node.PPID != -1) // this.NodesChanged(this, new TreeModelEventArgs(this.GetPath( // _processes.ContainsKey(node.PPID) ? _processes[node.PPID] : null), // new object[] { node })); }
public void MoveChildrenToRoot(ProcessNode node) { ProcessNode[] children = node.Children.ToArray(); foreach (ProcessNode child in children) { child.Parent = null; child.RefreshTreePathRecursive(); } _roots.AddRange(children); }
public void Remove(ProcessItem item) { ProcessNode itemNode = _processes[item.Pid]; ProcessNode[] itemChildren = null; // Dispose of the process node we're removing. itemNode.Dispose(); itemChildren = itemNode.Children.ToArray(); // Check if the node has a parent. if (itemNode.Parent == null) { if (_roots.Contains(itemNode)) { // Remove the process from the roots and make its children root nodes. _roots.Remove(itemNode); this.MoveChildrenToRoot(itemNode); } } else { if (itemNode.Parent.Children.Contains(itemNode)) { // Remove the node from its parent and make its children root nodes. itemNode.Parent.Children.Remove(itemNode); this.MoveChildrenToRoot(itemNode); } } // Remove the process from the process dictionary. _processes.Remove(item.Pid); this.StructureChanged(this, new TreePathEventArgs(new TreePath())); // Expand the children because TreeViewAdv collapses them by default. if (itemChildren != null) { foreach (ProcessNode n in itemChildren) { try { _tree.FindTreeNode(n).ExpandAll(); } catch (Exception ex) { Logging.Log(ex); } } } _tree.Invalidate(); }
public TreePath GetPath(ProcessNode node) { if (node == null) { return(TreePath.Empty); } if (this.GetSortColumn() != string.Empty) { return(new TreePath(node)); } return(node.TreePath); }
public TreePath RefreshTreePath() { ProcessNode currentNode = this; Stack <ProcessNode> stack = new Stack <ProcessNode>(); while (currentNode != null) { stack.Push(currentNode); currentNode = currentNode.Parent; } _treePath = new TreePath(stack.ToArray()); return(_treePath); }
public void Add(ProcessItem item) { ProcessNode itemNode = new ProcessNode(item); // Add the process to the list of all processes. _processes.Add(item.Pid, itemNode); // Find the process' parent and add the process to it if we found it. if (item.HasParent && _processes.ContainsKey(item.ParentPid)) { ProcessNode parent = _processes[item.ParentPid]; parent.Children.Add(itemNode); itemNode.Parent = parent; } else { // The process doesn't have a parent, so add it to the root nodes. _roots.Add(itemNode); } itemNode.RefreshTreePath(); // Find this process' children and fix them up. // We need to create a copy of the array because we may need // to modify the roots list. ProcessNode[] roots = _roots.ToArray(); foreach (ProcessNode node in roots) { // Notice that we don't replace a node's parent if it // already has one. This is to break potential cyclic // references. if (node.Parent == null && node.ProcessItem.HasParent && node.PPid == item.Pid) { // Remove the node from the root list and add it to our // process' child list. _roots.Remove(node); itemNode.Children.Add(node); node.Parent = itemNode; node.RefreshTreePathRecursive(); } } this.StructureChanged(this, new TreePathEventArgs(new TreePath())); }
public void Add(ProcessItem item) { ProcessNode itemNode = new ProcessNode(item); _processes.Add(item.Pid, itemNode); if (item.HasParent && _processes.ContainsKey(item.ParentPid)) { ProcessNode parent = _processes[item.ParentPid]; parent.Children.Add(itemNode); itemNode.Parent = parent; } else { _roots.Add(itemNode); } itemNode.RefreshTreePath(); ProcessNode[] roots = _roots.ToArray(); foreach (ProcessNode node in roots) { if (node.Parent == null && node.ProcessItem.HasParent && node.PPid == item.Pid) { _roots.Remove(node); itemNode.Children.Add(node); node.Parent = itemNode; node.RefreshTreePathRecursive(); } } this.StructureChanged(this, new TreePathEventArgs(new TreePath())); }
public TreePath RefreshTreePath() { ProcessNode currentNode = this; int i = _processNodeTreePathMaxDepth; if (_processNodeTreePathBuffer == null) _processNodeTreePathBuffer = new ProcessNode[_processNodeTreePathMaxDepth]; while (i > 0 && currentNode != null) { _processNodeTreePathBuffer[--i] = currentNode; currentNode = currentNode.Parent; } ProcessNode[] path; path = new ProcessNode[_processNodeTreePathMaxDepth - i]; Array.Copy(_processNodeTreePathBuffer, i, path, 0, _processNodeTreePathMaxDepth - i); _treePath = new TreePath(path); return _treePath; }
public TreePath GetPath(ProcessNode node) { if (node == null) return TreePath.Empty; if (this.GetSortColumn() != "") { return new TreePath(node); } else { return node.TreePath; } }
public TreeNodeAdv FindTreeNode(ProcessNode node) { return(this.FindTreeNode(node.Pid)); }
public TreeNodeAdv FindTreeNode(ProcessNode node) { return this.FindTreeNode(node.Pid); }
public string GetToolTip(ProcessNode pNode) { try { string cmdText = (!string.IsNullOrEmpty(pNode.ProcessItem.CmdLine) ? (Utils.CreateEllipsis(pNode.ProcessItem.CmdLine.Replace("\0", string.Empty), 100) + "\n") : string.Empty); string fileText = string.Empty; try { if (pNode.ProcessItem.VersionInfo != null) { var info = pNode.ProcessItem.VersionInfo; fileText = "File:\n" + PhUtils.FormatFileInfo(info.FileName, info.FileDescription, info.CompanyName, info.FileVersion, 4); } } catch { if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName)) fileText = "File:\n " + pNode.ProcessItem.FileName; } string runDllText = string.Empty; if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) && pNode.ProcessItem.FileName.EndsWith("\\rundll32.exe", StringComparison.InvariantCultureIgnoreCase) && !string.IsNullOrEmpty(pNode.ProcessItem.CmdLine)) { try { // TODO: fix crappy method string targetFile = pNode.ProcessItem.CmdLine.Split(new char[] { ' ' }, 2)[1].Split(',')[0]; // if it doesn't specify an absolute path, assume it's in system32. if (!targetFile.Contains(":", StringComparison.OrdinalIgnoreCase)) targetFile = Environment.SystemDirectory + "\\" + targetFile; FileVersionInfo info = FileVersionInfo.GetVersionInfo(targetFile); runDllText = "\nRunDLL target:\n " + info.FileName + "\n " + info.FileDescription + " " + info.FileVersion + "\n " + info.CompanyName; } catch (Exception ex) { Logging.Log(ex); } } string dllhostText = string.Empty; if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) && pNode.ProcessItem.FileName.EndsWith("\\dllhost.exe", StringComparison.InvariantCultureIgnoreCase) && !string.IsNullOrEmpty(pNode.ProcessItem.CmdLine)) { try { string clsid = pNode.ProcessItem.CmdLine.ToLowerInvariant().Split(new[] { "/processid:" }, StringSplitOptions.None)[1].Split(' ')[0]; using (RegistryKey key = Registry.ClassesRoot.OpenSubKey("CLSID\\" + clsid)) using (RegistryKey inprocServer32 = key.OpenSubKey("InprocServer32")) { string name = key.GetValue(string.Empty) as string; string fileName = inprocServer32.GetValue(string.Empty) as string; FileVersionInfo info = FileVersionInfo.GetVersionInfo(Environment.ExpandEnvironmentVariables(fileName)); dllhostText = "\nCOM Target:\n " + name + " (" + clsid.ToUpper() + ")\n " + info.FileName + "\n " + info.FileDescription + " " + info.FileVersion + "\n " + info.CompanyName; } } catch (Exception ex) { Logging.Log(ex); } } string servicesText = string.Empty; try { IDictionary<int, List<string>> processServices; IDictionary<string, ServiceItem> services; if (!_tree.DumpMode) { processServices = Program.HackerWindow.ProcessServices; services = Program.ServiceProvider.Dictionary; } else { processServices = _tree.DumpProcessServices; services = _tree.DumpServices; } if (processServices.ContainsKey(pNode.Pid)) { foreach (string service in processServices[pNode.Pid]) { if (services.ContainsKey(service)) { if (string.IsNullOrEmpty(services[service].Status.DisplayName)) servicesText += " " + service + " (" + services[service].Status.DisplayName + ")\n"; else servicesText += " " + service + "\n"; } else { servicesText += " " + service + "\n"; } } servicesText = "\nServices:\n" + servicesText.TrimEnd('\n'); } } catch (Exception ex) { Logging.Log(ex); } string otherNotes = string.Empty; try { if (pNode.ProcessItem.IsPacked && pNode.ProcessItem.ImportModules > 0) otherNotes += "\n Image is probably packed - has " + pNode.ProcessItem.ImportFunctions.ToString() + " imports over " + pNode.ProcessItem.ImportModules.ToString() + " modules."; else if (pNode.ProcessItem.IsPacked) otherNotes += "\n Image is probably packed - error reading PE file."; if (pNode.ProcessItem.FileName != null) { if (pNode.ProcessItem.VerifyResult == VerifyResult.Trusted) { if (!string.IsNullOrEmpty(pNode.ProcessItem.VerifySignerName)) otherNotes += "\n Signer: " + pNode.ProcessItem.VerifySignerName; else otherNotes += "\n Signed."; } else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown && !Settings.Instance.VerifySignatures) { otherNotes += string.Empty; } else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown && Settings.Instance.VerifySignatures && !_tree.DumpMode) { otherNotes += "\n File has not been processed yet. Please wait..."; } else if (pNode.ProcessItem.VerifyResult != VerifyResult.NoSignature) { otherNotes += "\n Signature invalid."; } if (Program.ImposterNames.Contains(pNode.Name.ToLowerInvariant()) && pNode.ProcessItem.VerifyResult != VerifyResult.Trusted && pNode.ProcessItem.VerifyResult != VerifyResult.Unknown) otherNotes += "\n Process is using the name of a known process but its signature could not be verified."; } if (pNode.ProcessItem.IsInJob) otherNotes += "\n Process is in a job."; if (pNode.ProcessItem.ElevationType == TokenElevationType.Full) otherNotes += "\n Process is elevated."; if (pNode.ProcessItem.IsDotNet) otherNotes += "\n Process is managed (.NET)."; if (pNode.ProcessItem.IsPosix) otherNotes += "\n Process is POSIX."; if (pNode.ProcessItem.IsWow64) otherNotes += "\n Process is 32-bit (running under WOW64)."; if (otherNotes != string.Empty) otherNotes = "\nNotes:" + otherNotes; } catch (Exception ex) { Logging.Log(ex); } return (cmdText + fileText + otherNotes + runDllText + dllhostText + servicesText).Trim(' ', '\n', '\r'); } catch (Exception ex) { Logging.Log(ex); } return string.Empty; }
public string GetToolTip(ProcessNode pNode) { try { string cmdText = (pNode.ProcessItem.CmdLine != null ? (Utils.CreateEllipsis(pNode.ProcessItem.CmdLine.Replace("\0", ""), 100) + "\n") : ""); string fileText = ""; try { string filename = ""; if (pNode.Pid == 4) { filename = FileUtils.GetFileName(Windows.KernelFileName); } else { filename = pNode.ProcessItem.FileName; } FileVersionInfo info = FileVersionInfo.GetVersionInfo(filename); fileText = "File:\n " + info.FileName + "\n " + info.FileDescription + " " + info.FileVersion + "\n " + info.CompanyName; } catch { if (pNode.ProcessItem.FileName != null) fileText = "File:\n " + pNode.ProcessItem.FileName; } string runDllText = ""; if (pNode.ProcessItem.FileName != null && pNode.ProcessItem.FileName.Equals(Environment.SystemDirectory + "\\rundll32.exe", StringComparison.InvariantCultureIgnoreCase) && pNode.ProcessItem.CmdLine != null) { try { // TODO: fix crappy method string targetFile = pNode.ProcessItem.CmdLine.Split(new char[] { ' ' }, 2)[1].Split(',')[0]; // if it doesn't specify an absolute path, assume it's in system32. if (!targetFile.Contains(":")) targetFile = Environment.SystemDirectory + "\\" + targetFile; FileVersionInfo info = FileVersionInfo.GetVersionInfo(targetFile); runDllText = "\nRunDLL target:\n " + info.FileName + "\n " + info.FileDescription + " " + info.FileVersion + "\n " + info.CompanyName; } catch (Exception ex) { Logging.Log(ex); } } string dllhostText = ""; if (pNode.ProcessItem.FileName != null && pNode.ProcessItem.FileName.Equals(Environment.SystemDirectory + "\\dllhost.exe", StringComparison.InvariantCultureIgnoreCase) && pNode.ProcessItem.CmdLine != null) { try { string clsid = pNode.ProcessItem.CmdLine.ToLowerInvariant().Split( new string[] { "/processid:" }, StringSplitOptions.None)[1].Split(' ')[0]; var key = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey("CLSID\\" + clsid); var inprocServer32 = key.OpenSubKey("InprocServer32"); string name = key.GetValue("") as string; string fileName = inprocServer32.GetValue("") as string; FileVersionInfo info = FileVersionInfo.GetVersionInfo(Environment.ExpandEnvironmentVariables(fileName)); dllhostText = "\nCOM Target:\n " + name + " (" + clsid.ToUpper() + ")\n " + info.FileName + "\n " + info.FileDescription + " " + info.FileVersion + "\n " + info.CompanyName; } catch (Exception ex) { Logging.Log(ex); } } string servicesText = ""; try { if (Program.HackerWindow.ProcessServices.ContainsKey(pNode.Pid)) { foreach (string service in Program.HackerWindow.ProcessServices[pNode.Pid]) { if (Program.ServiceProvider.Dictionary.ContainsKey(service)) { if (Program.ServiceProvider.Dictionary[service].Status.DisplayName != "") servicesText += " " + service + " (" + Program.ServiceProvider.Dictionary[service].Status.DisplayName + ")\n"; else servicesText += " " + service + "\n"; } else { servicesText += " " + service + "\n"; } } servicesText = "\nServices:\n" + servicesText.TrimEnd('\n'); } } catch (Exception ex) { Logging.Log(ex); } string otherNotes = ""; try { if (pNode.ProcessItem.IsPacked && pNode.ProcessItem.ImportModules > 0) otherNotes += "\n Image is probably packed - has " + pNode.ProcessItem.ImportFunctions.ToString() + " imports over " + pNode.ProcessItem.ImportModules.ToString() + " modules."; else if (pNode.ProcessItem.IsPacked) otherNotes += "\n Image is probably packed - error reading PE file."; if (pNode.ProcessItem.FileName != null) { if (pNode.ProcessItem.VerifyResult == VerifyResult.Trusted) otherNotes += "\n Signature present and verified."; else if (pNode.ProcessItem.VerifyResult == VerifyResult.TrustedInstaller) otherNotes += "\n Verified Windows component."; else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown && !Properties.Settings.Default.VerifySignatures) otherNotes += ""; else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown && Properties.Settings.Default.VerifySignatures) otherNotes += "\n File has not been processed yet. Please wait..."; else if (pNode.ProcessItem.VerifyResult != VerifyResult.NoSignature) otherNotes += "\n Signature present but invalid."; if (Program.ImposterNames.Contains(pNode.Name.ToLower()) && pNode.ProcessItem.VerifyResult != VerifyResult.Trusted && pNode.ProcessItem.VerifyResult != VerifyResult.TrustedInstaller && pNode.ProcessItem.VerifyResult != VerifyResult.Unknown) otherNotes += "\n Process is using the name of a known process but its signature could not be verified."; } if (pNode.ProcessItem.IsInJob) otherNotes += "\n Process is in a job."; if (pNode.ProcessItem.ElevationType == TokenElevationType.Full) otherNotes += "\n Process is elevated."; if (pNode.ProcessItem.IsDotNet) otherNotes += "\n Process is managed (.NET)."; if (pNode.ProcessItem.IsPosix) otherNotes += "\n Process is POSIX."; if (pNode.ProcessItem.IsWow64) otherNotes += "\n Process is 32-bit (running under WOW64)."; if (otherNotes != "") otherNotes = "\nNotes:" + otherNotes; } catch (Exception ex) { Logging.Log(ex); } return (cmdText + fileText + otherNotes + runDllText + dllhostText + servicesText).Trim(' ', '\n', '\r'); } catch (Exception ex) { Logging.Log(ex); } return string.Empty; }
public string GetToolTip(ProcessNode pNode) { try { string cmdText = (!string.IsNullOrEmpty(pNode.ProcessItem.CmdLine) ? (Utils.CreateEllipsis(pNode.ProcessItem.CmdLine.Replace("\0", string.Empty), 100) + "\n") : string.Empty); string fileText = string.Empty; try { if (pNode.ProcessItem.VersionInfo != null) { var info = pNode.ProcessItem.VersionInfo; fileText = "File:\n" + PhUtils.FormatFileInfo(info.FileName, info.FileDescription, info.CompanyName, info.FileVersion, 4); } } catch { if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName)) { fileText = "File:\n " + pNode.ProcessItem.FileName; } } string runDllText = string.Empty; if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) && pNode.ProcessItem.FileName.EndsWith("\\rundll32.exe", StringComparison.InvariantCultureIgnoreCase) && !string.IsNullOrEmpty(pNode.ProcessItem.CmdLine)) { try { // TODO: fix crappy method string targetFile = pNode.ProcessItem.CmdLine.Split(new char[] { ' ' }, 2)[1].Split(',')[0]; // if it doesn't specify an absolute path, assume it's in system32. if (!targetFile.Contains(":", StringComparison.OrdinalIgnoreCase)) { targetFile = Environment.SystemDirectory + "\\" + targetFile; } FileVersionInfo info = FileVersionInfo.GetVersionInfo(targetFile); runDllText = "\nRunDLL target:\n " + info.FileName + "\n " + info.FileDescription + " " + info.FileVersion + "\n " + info.CompanyName; } catch (Exception ex) { Logging.Log(ex); } } string dllhostText = string.Empty; if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) && pNode.ProcessItem.FileName.EndsWith("\\dllhost.exe", StringComparison.InvariantCultureIgnoreCase) && !string.IsNullOrEmpty(pNode.ProcessItem.CmdLine)) { try { string clsid = pNode.ProcessItem.CmdLine.ToLowerInvariant().Split(new[] { "/processid:" }, StringSplitOptions.None)[1].Split(' ')[0]; using (RegistryKey key = Registry.ClassesRoot.OpenSubKey("CLSID\\" + clsid)) using (RegistryKey inprocServer32 = key.OpenSubKey("InprocServer32")) { string name = key.GetValue(string.Empty) as string; string fileName = inprocServer32.GetValue(string.Empty) as string; FileVersionInfo info = FileVersionInfo.GetVersionInfo(Environment.ExpandEnvironmentVariables(fileName)); dllhostText = "\nCOM Target:\n " + name + " (" + clsid.ToUpper() + ")\n " + info.FileName + "\n " + info.FileDescription + " " + info.FileVersion + "\n " + info.CompanyName; } } catch (Exception ex) { Logging.Log(ex); } } string servicesText = string.Empty; try { IDictionary <int, List <string> > processServices; IDictionary <string, ServiceItem> services; if (!_tree.DumpMode) { processServices = Program.HackerWindow.ProcessServices; services = Program.ServiceProvider.Dictionary; } else { processServices = _tree.DumpProcessServices; services = _tree.DumpServices; } if (processServices.ContainsKey(pNode.Pid)) { foreach (string service in processServices[pNode.Pid]) { if (services.ContainsKey(service)) { if (string.IsNullOrEmpty(services[service].Status.DisplayName)) { servicesText += " " + service + " (" + services[service].Status.DisplayName + ")\n"; } else { servicesText += " " + service + "\n"; } } else { servicesText += " " + service + "\n"; } } servicesText = "\nServices:\n" + servicesText.TrimEnd('\n'); } } catch (Exception ex) { Logging.Log(ex); } string otherNotes = string.Empty; try { if (pNode.ProcessItem.IsPacked && pNode.ProcessItem.ImportModules > 0) { otherNotes += "\n Image is probably packed - has " + pNode.ProcessItem.ImportFunctions.ToString() + " imports over " + pNode.ProcessItem.ImportModules.ToString() + " modules."; } else if (pNode.ProcessItem.IsPacked) { otherNotes += "\n Image is probably packed - error reading PE file."; } if (pNode.ProcessItem.FileName != null) { if (pNode.ProcessItem.VerifyResult == VerifyResult.Trusted) { if (!string.IsNullOrEmpty(pNode.ProcessItem.VerifySignerName)) { otherNotes += "\n Signer: " + pNode.ProcessItem.VerifySignerName; } else { otherNotes += "\n Signed."; } } else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown && !Settings.Instance.VerifySignatures) { otherNotes += string.Empty; } else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown && Settings.Instance.VerifySignatures && !_tree.DumpMode) { otherNotes += "\n File has not been processed yet. Please wait..."; } else if (pNode.ProcessItem.VerifyResult != VerifyResult.NoSignature) { otherNotes += "\n Signature invalid."; } if (Program.ImposterNames.Contains(pNode.Name.ToLowerInvariant()) && pNode.ProcessItem.VerifyResult != VerifyResult.Trusted && pNode.ProcessItem.VerifyResult != VerifyResult.Unknown) { otherNotes += "\n Process is using the name of a known process but its signature could not be verified."; } } if (pNode.ProcessItem.IsInJob) { otherNotes += "\n Process is in a job."; } if (pNode.ProcessItem.ElevationType == TokenElevationType.Full) { otherNotes += "\n Process is elevated."; } if (pNode.ProcessItem.IsDotNet) { otherNotes += "\n Process is managed (.NET)."; } if (pNode.ProcessItem.IsPosix) { otherNotes += "\n Process is POSIX."; } if (pNode.ProcessItem.IsWow64) { otherNotes += "\n Process is 32-bit (running under WOW64)."; } if (otherNotes != string.Empty) { otherNotes = "\nNotes:" + otherNotes; } } catch (Exception ex) { Logging.Log(ex); } return((cmdText + fileText + otherNotes + runDllText + dllhostText + servicesText).Trim(' ', '\n', '\r')); } catch (Exception ex) { Logging.Log(ex); } return(string.Empty); }