private void LoadToken()
{
var token = _processMo.GetChild("Token");
if (token == null)
{
return;
}
var dict = Dump.GetDictionary(token);
if (!dict.ContainsKey("UserName"))
{
return;
}
string elevated =
dict.ContainsKey("Elevated") ?
Dump.ParseBool(dict["Elevated"]).ToString() :
"N/A";
string virtualization =
dict.ContainsKey("VirtualizationAllowed") ?
(Dump.ParseBool(dict["VirtualizationAllowed"]) ?
(Dump.ParseBool(dict["VirtualizationEnabled"]) ? "Enabled" : "Disabled") :
"Not Allowed") : "N/A";
_tokenProps.DumpSetTextToken(
dict["UserName"],
dict["UserStringSid"],
dict["OwnerName"],
dict["PrimaryGroupName"],
Dump.ParseInt32(dict["SessionId"]).ToString(),
elevated,
virtualization
);
if (dict.ContainsKey("SourceName"))
{
_tokenProps.DumpSetTextSource(
dict["SourceName"],
"0x" + Dump.ParseInt64(dict["SourceLuid"]).ToString("x")
);
}
_tokenProps.DumpSetTextAdvanced(
((TokenType)Dump.ParseInt32(dict["Type"])).ToString(),
((SecurityImpersonationLevel)Dump.ParseInt32(dict["ImpersonationLevel"])).ToString(),
"0x" + Dump.ParseInt64(dict["Luid"]).ToString("x"),
"0x" + Dump.ParseInt64(dict["AuthenticationLuid"]).ToString("x"),
Utils.FormatSize(Dump.ParseInt32(dict["MemoryUsed"])),
Utils.FormatSize(Dump.ParseInt32(dict["MemoryAvailable"]))
);
using (var groups = token.GetChild("Groups"))
{
var groupsList = Dump.GetList(groups);
foreach (var group in groupsList)
{
var split = group.Split(';');
_tokenProps.DumpAddGroup(split[0], (SidAttributes)Dump.ParseInt32(split[1]));
}
}
using (var privileges = token.GetChild("Privileges"))
{
var privilegesList = Dump.GetList(privileges);
foreach (var privilege in privilegesList)
{
var split = privilege.Split(';');
_tokenProps.DumpAddPrivilege(
split[0],
split[1],
(SePrivilegeAttributes)Dump.ParseInt32(split[2])
);
}
}
token.Dispose();
}
private void LoadProcess(MemoryObject mo)
{
var names = mo.ChildNames;
ProcessItem pitem;
if (!names.Contains("General"))
{
return;
}
IDictionary <string, string> generalDict;
using (MemoryObject general = mo.GetChild("General"))
generalDict = Dump.GetDictionary(general);
pitem = new ProcessItem
{
Pid = Dump.ParseInt32(generalDict["ProcessId"]),
Name = generalDict["Name"],
ParentPid = Dump.ParseInt32(generalDict["ParentPid"])
};
if (generalDict.ContainsKey("HasParent"))
{
pitem.HasParent = Dump.ParseBool(generalDict["HasParent"]);
}
if (generalDict.ContainsKey("StartTime"))
{
pitem.CreateTime = Dump.ParseDateTime(generalDict["StartTime"]);
}
if (generalDict.ContainsKey("SessionId"))
{
pitem.SessionId = Dump.ParseInt32(generalDict["SessionId"]);
}
if (generalDict.ContainsKey("FileName"))
{
pitem.FileName = generalDict["FileName"];
}
if (generalDict.ContainsKey("FileDescription"))
{
pitem.VersionInfo = new ImageVersionInfo
{
FileDescription = generalDict["FileDescription"],
CompanyName = generalDict["FileCompanyName"],
FileVersion = generalDict["FileVersion"],
FileName = pitem.FileName
};
}
if (generalDict.ContainsKey("CommandLine"))
{
pitem.CmdLine = generalDict["CommandLine"];
}
if (generalDict.ContainsKey("IsPosix"))
{
pitem.IsPosix = Dump.ParseBool(generalDict["IsPosix"]);
}
if (generalDict.ContainsKey("IsWow64"))
{
pitem.IsWow64 = Dump.ParseBool(generalDict["IsWow64"]);
}
if (generalDict.ContainsKey("IsBeingDebugged"))
{
pitem.IsBeingDebugged = Dump.ParseBool(generalDict["IsBeingDebugged"]);
}
if (generalDict.ContainsKey("UserName"))
{
pitem.Username = generalDict["UserName"];
}
if (generalDict.ContainsKey("ElevationType"))
{
pitem.ElevationType = (TokenElevationType)Dump.ParseInt32(generalDict["ElevationType"]);
}
if (generalDict.ContainsKey("CpuUsage"))
{
pitem.CpuUsage = float.Parse(generalDict["CpuUsage"]);
}
if (generalDict.ContainsKey("JobName"))
{
pitem.JobName = generalDict["JobName"];
}
if (generalDict.ContainsKey("IsInJob"))
{
pitem.IsInJob = Dump.ParseBool(generalDict["IsInJob"]);
}
if (generalDict.ContainsKey("IsInSignificantJob"))
{
pitem.IsInSignificantJob = Dump.ParseBool(generalDict["IsInSignificantJob"]);
}
if (generalDict.ContainsKey("Integrity"))
{
pitem.Integrity = generalDict["Integrity"];
}
if (generalDict.ContainsKey("IntegrityLevel"))
{
pitem.IntegrityLevel = Dump.ParseInt32(generalDict["IntegrityLevel"]);
}
if (generalDict.ContainsKey("IsDotNet"))
{
pitem.IsDotNet = Dump.ParseBool(generalDict["IsDotNet"]);
}
if (generalDict.ContainsKey("IsPacked"))
{
pitem.IsPacked = Dump.ParseBool(generalDict["IsPacked"]);
}
if (generalDict.ContainsKey("VerifyResult"))
{
pitem.VerifyResult = (VerifyResult)Dump.ParseInt32(generalDict["VerifyResult"]);
}
if (generalDict.ContainsKey("VerifySignerName"))
{
pitem.VerifySignerName = generalDict["VerifySignerName"];
}
if (generalDict.ContainsKey("ImportFunctions"))
{
pitem.ImportFunctions = Dump.ParseInt32(generalDict["ImportFunctions"]);
}
if (generalDict.ContainsKey("ImportModules"))
{
pitem.ImportModules = Dump.ParseInt32(generalDict["ImportModules"]);
}
if (names.Contains("SmallIcon"))
{
using (var smallIcon = mo.GetChild("SmallIcon"))
pitem.Icon = Dump.GetIcon(smallIcon);
}
if (names.Contains("VmCounters"))
{
using (var vmCounters = mo.GetChild("VmCounters"))
pitem.Process.VirtualMemoryCounters = Dump.GetStruct <VmCountersEx64>(vmCounters).ToVmCountersEx();
}
if (names.Contains("IoCounters"))
{
using (var ioCounters = mo.GetChild("IoCounters"))
pitem.Process.IoCounters = Dump.GetStruct <IoCounters>(ioCounters);
}
_processes.Add(pitem.Pid, pitem);
treeProcesses.AddItem(pitem);
}