public static string GetProcessUser(IntPtr hProcess, RunningProcess pre) { int MAX_INTPTR_BYTE_ARR_SIZE = 512; IntPtr tokenHandle; byte[] sidBytes; try { winaudits.AdjustPrevilege.AddDebugPrevilege(); // Get the Process Token if (!OpenProcessToken(hProcess, TOKEN_READ, out tokenHandle)) { return(null); } uint tokenInfoLength = 0; bool result; result = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenUser, IntPtr.Zero, tokenInfoLength, out tokenInfoLength); // get the token info length IntPtr tokenInfo = Marshal.AllocHGlobal((int)tokenInfoLength); result = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenUser, tokenInfo, tokenInfoLength, out tokenInfoLength); // get the token info // Get the User SID if (result) { TOKEN_USER tokenUser = (TOKEN_USER)Marshal.PtrToStructure(tokenInfo, typeof(TOKEN_USER)); sidBytes = new byte[MAX_INTPTR_BYTE_ARR_SIZE]; // Since I don't yet know how to be more precise w/ the size of the byte arr, it is being set to 512 Marshal.Copy(tokenUser.User.Sid, sidBytes, 0, MAX_INTPTR_BYTE_ARR_SIZE); // get a byte[] representation of the SID var sid = new SecurityIdentifier(sidBytes, 0); if (sid != null) { pre.SID = sid.ToString(); if (sid.IsAccountSid() == true) { pre.SIDType = "Account SID"; } else { pre.SIDType = "WellKnown"; } } return(GetUserNameFromSID(sidBytes)); } } catch (Exception) { return(null); } return(null); }
private static string GetProcessParametersString(int processId, PEB_OFFSET Offset, RunningProcess pre) { IntPtr handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, processId); if (handle == IntPtr.Zero) { return(null); } ///////////////////// Get the username associated with the process /////////////////// string username = LookupAccountName.GetProcessUser(handle, pre); if (username != null) { pre.UserName = username; } ///////////////////////////////////////////////////////////////////////////////////// /////////////////// Get Working Set Counters /////////////////////////////////////// PROCESS_MEMORY_COUNTERS memoryCounters; memoryCounters.cb = (uint)Marshal.SizeOf(typeof(PROCESS_MEMORY_COUNTERS)); if (GetProcessMemoryInfo(handle, out memoryCounters, memoryCounters.cb)) { pre.WorkingSet = (int)memoryCounters.WorkingSetSize; //pre.workingsetstr = pre.workingset.ToString("#,##0") + " " + "Bytes"; } //////////////////////////////////////////////////////////////////////////////////// FILETIME lpCreationTime = new FILETIME(); FILETIME lpUserTime = new FILETIME(); FILETIME lpKernelTime = new FILETIME(); FILETIME lpExitTime = new FILETIME(); bool retval = GetProcessTimes(handle, out lpCreationTime, out lpExitTime, out lpKernelTime, out lpUserTime); if (retval == true) { string sc = ConvertTimeToString(lpCreationTime.DateTimeHigh, lpCreationTime.DateTimeLow, true); pre.StartTime = DateTime.Parse(sc); string kr = ConvertTimeToString(lpKernelTime.DateTimeHigh, lpKernelTime.DateTimeLow, false); pre.KernalTime = kr; string ut = ConvertTimeToString(lpUserTime.DateTimeHigh, lpUserTime.DateTimeLow, false); pre.UserTime = ut; } bool IsWow64Process = PlatformCheck.InternalCheckIsWow64(); bool IsTargetWow64Process = PlatformCheck.GetProcessIsWow64(handle); bool IsTarget64BitProcess = Is64BitOperatingSystem && !IsTargetWow64Process; pre.IsWow64 = IsTargetWow64Process; long offset = 0; long processParametersOffset = IsTarget64BitProcess ? 0x20 : 0x10; long offsetldr = 0x0c; switch (Offset) { case PEB_OFFSET.CurrentDirectory: offset = IsTarget64BitProcess ? 0x38 : 0x24; break; case PEB_OFFSET.CommandLine: offset = Is64BitOperatingSystem ? 0x70 : 0x40; if (offset == 0x70 && IsTargetWow64Process) { offset = 0x40; } break; default: return(null); } try { long pebAddress = 0; if (IsTargetWow64Process) // OS : 64Bit, Cur : 32 or 64, Tar: 32bit { IntPtr peb32 = new IntPtr(); int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessWow64Information, ref peb32, IntPtr.Size, IntPtr.Zero); if (hr != 0) { return(null); } pebAddress = peb32.ToInt64(); IntPtr pp = new IntPtr(); if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero)) { return(null); } UNICODE_STRING_32 us = new UNICODE_STRING_32(); if (!ReadProcessMemory(handle, new IntPtr(pp.ToInt64() + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero)) { return(null); } if ((us.Buffer == 0) || (us.Length == 0)) { return(null); } string s = new string('\0', us.Length / 2); if (!ReadProcessMemory(handle, new IntPtr(us.Buffer), s, new IntPtr(us.Length), IntPtr.Zero)) { return(null); } UNICODE_STRING_32 us2 = new UNICODE_STRING_32(); if (!ReadProcessMemory(handle, new IntPtr(pp.ToInt64() + offset - 8), ref us2, new IntPtr(Marshal.SizeOf(us2)), IntPtr.Zero)) { return(null); } if ((us2.Buffer == 0) || (us2.Length == 0)) { return(null); } string s2 = new string('\0', us2.Length / 2); if (!ReadProcessMemory(handle, new IntPtr(us2.Buffer), s2, new IntPtr(us2.Length), IntPtr.Zero)) { return(null); } pre.Arguments = s; pre.Path = s2; //////////// Read Loader //////// PEB_LDR_DATA ldr1 = new PEB_LDR_DATA(); IntPtr ldrp = StructToPtr(ldr1); if (!ReadProcessMemory(handle, new IntPtr(pebAddress + 0x0c), ref ldrp, new IntPtr(Marshal.SizeOf(ldr1)), IntPtr.Zero)) { return(null); } /// We have long ldraddress = ldrp.ToInt64(); IntPtr le1 = new IntPtr(ldraddress + 0x0c); if (!ReadProcessMemory(handle, new IntPtr(ldraddress + 0xc), ref le1, new IntPtr(Marshal.SizeOf(le1)), IntPtr.Zero)) { return(null); } while (le1 != null) { UNICODE_STRING_32 us3 = new UNICODE_STRING_32(); if (!ReadProcessMemory(handle, new IntPtr(le1.ToInt64() + 0x24), ref us3, new IntPtr(Marshal.SizeOf(us3)), IntPtr.Zero)) { return(null); } if ((us3.Buffer == 0) || (us3.Length == 0)) { return(null); } string s3 = new string('\0', us3.Length / 2); if (!ReadProcessMemory(handle, new IntPtr(us3.Buffer), s3, new IntPtr(us3.Length), IntPtr.Zero)) { return(null); } long nextlist = le1.ToInt64(); IntPtr nextlistp = new IntPtr(nextlist); if (!ReadProcessMemory(handle, nextlistp, ref le1, new IntPtr(Marshal.SizeOf(le1)), IntPtr.Zero)) { return(null); } LoadedModule pme = new LoadedModule(); pme.ModulePath = s3; pre.ListProcessModule.Add(pme); } return(s); } else if (IsWow64Process)//Os : 64Bit, Cur 32, Tar 64 { PROCESS_BASIC_INFORMATION_WOW64 pbi = new PROCESS_BASIC_INFORMATION_WOW64(); int hr = NtWow64QueryInformationProcess64(handle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero); if (hr != 0) { return(null); } pebAddress = pbi.PebBaseAddress; long pp = 0; hr = NtWow64ReadVirtualMemory64(handle, pebAddress + processParametersOffset, ref pp, Marshal.SizeOf(pp), IntPtr.Zero); if (hr != 0) { return(null); } UNICODE_STRING_WOW64 us = new UNICODE_STRING_WOW64(); hr = NtWow64ReadVirtualMemory64(handle, pp + offset, ref us, Marshal.SizeOf(us), IntPtr.Zero); if (hr != 0) { return(null); } if ((us.Buffer == 0) || (us.Length == 0)) { return(null); } string s = new string('\0', us.Length / 2); hr = NtWow64ReadVirtualMemory64(handle, us.Buffer, s, us.Length, IntPtr.Zero); if (hr != 0) { return(null); } if (pre != null) { pre.Arguments = s; } UNICODE_STRING_WOW64 us2 = new UNICODE_STRING_WOW64(); hr = NtWow64ReadVirtualMemory64(handle, pp + offset - Marshal.SizeOf(us2), ref us2, Marshal.SizeOf(us2), IntPtr.Zero); if (hr != 0) { return(null); } if ((us2.Buffer == 0) || (us2.Length == 0)) { return(null); } string s2 = new string('\0', us2.Length / 2); hr = NtWow64ReadVirtualMemory64(handle, us2.Buffer, s2, us2.Length, IntPtr.Zero); if (hr != 0) { return(null); } // Console.WriteLine("IM : " + s2); pre.Path = s2; /////////////////////For Testing if (s2 != null && ((s2.ToLower().Contains("taskmgr.exe") == false))) { //return s2; } //////////// Read Loader //////// long ldrp = 0; if (NtWow64ReadVirtualMemory64(handle, pebAddress + 0x18, ref ldrp, sizeof(long), IntPtr.Zero) != 0) { return(null); } /// We have long ldraddress = ldrp + 0x10; long le1 = 0; if (NtWow64ReadVirtualMemory64(handle, ldraddress, ref le1, sizeof(long), IntPtr.Zero) != 0) { return(null); } while (le1 != 0) { UNICODE_STRING_WOW64 us3 = new UNICODE_STRING_WOW64(); hr = NtWow64ReadVirtualMemory64(handle, le1 + 0x48, ref us3, Marshal.SizeOf(us3), IntPtr.Zero); if (hr != 0) { return(null); } if ((us3.Buffer == 0) || (us3.Length == 0)) { return(null); } string s3 = new string('\0', us3.Length / 2); hr = NtWow64ReadVirtualMemory64(handle, us3.Buffer, s3, us3.Length, IntPtr.Zero); if (hr != 0) { return(null); } long nextlist = le1; hr = NtWow64ReadVirtualMemory64(handle, nextlist, ref le1, sizeof(long), IntPtr.Zero); if (hr != 0) { return(null); } LoadedModule pme = new LoadedModule(); pme.ModulePath = s3; pre.ListProcessModule.Add(pme); } return(s); } else// Os,Cur,Tar : 64 or 32 { PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION(); int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero); if (hr != 0) { return(null); } pebAddress = pbi.PebBaseAddress.ToInt64(); IntPtr pp = new IntPtr(); if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero)) { return(null); } UNICODE_STRING us = new UNICODE_STRING(); if (!ReadProcessMemory(handle, new IntPtr((long)pp + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero)) { return(null); } if ((us.Buffer == IntPtr.Zero) || (us.Length == 0)) { return(null); } string s = new string('\0', us.Length / 2); if (!ReadProcessMemory(handle, us.Buffer, s, new IntPtr(us.Length), IntPtr.Zero)) { return(null); } UNICODE_STRING us2 = new UNICODE_STRING(); if (!ReadProcessMemory(handle, new IntPtr((long)pp + offset - Marshal.SizeOf(us2)), ref us2, new IntPtr(Marshal.SizeOf(us2)), IntPtr.Zero)) { return(null); } if ((us2.Buffer == IntPtr.Zero) || (us2.Length == 0)) { return(null); } string s2 = new string('\0', us2.Length / 2); if (!ReadProcessMemory(handle, us2.Buffer, s2, new IntPtr(us2.Length), IntPtr.Zero)) { return(null); } pre.Path = s2; pre.Arguments = s; //////////// Read Loader //////// PEB_LDR_DATA ldr1 = new PEB_LDR_DATA(); IntPtr ldrp = StructToPtr(ldr1); if (!ReadProcessMemory(handle, new IntPtr(pebAddress + 0x0c), ref ldrp, new IntPtr(Marshal.SizeOf(ldr1)), IntPtr.Zero)) { return(null); } /// We have long ldraddress = ldrp.ToInt64(); IntPtr le1 = new IntPtr(ldraddress + 0x0c); if (!ReadProcessMemory(handle, new IntPtr(ldraddress + 0xc), ref le1, new IntPtr(Marshal.SizeOf(le1)), IntPtr.Zero)) { return(null); } while (le1 != null) { UNICODE_STRING_32 us3 = new UNICODE_STRING_32(); if (!ReadProcessMemory(handle, new IntPtr(le1.ToInt64() + 0x24), ref us3, new IntPtr(Marshal.SizeOf(us3)), IntPtr.Zero)) { return(null); } if ((us3.Buffer == 0) || (us3.Length == 0)) { return(null); } string s3 = new string('\0', us3.Length / 2); if (!ReadProcessMemory(handle, new IntPtr(us3.Buffer), s3, new IntPtr(us3.Length), IntPtr.Zero)) { return(null); } long nextlist = le1.ToInt64(); IntPtr nextlistp = new IntPtr(nextlist); if (!ReadProcessMemory(handle, nextlistp, ref le1, new IntPtr(Marshal.SizeOf(le1)), IntPtr.Zero)) { return(null); } LoadedModule pme = new LoadedModule(); pme.ModulePath = s3; pre.ListProcessModule.Add(pme); } return(s); } } finally { CloseHandle(handle); } }
public static List <RunningProcess> StartAudit() { IntPtr handleToSnapshot = IntPtr.Zero; List <RunningProcess> prelem = new List <RunningProcess>(); Dictionary <string, Forensics.CryptInfo> lstCertInfo = new Dictionary <string, Forensics.CryptInfo>(); try { PROCESSENTRY32 procEntry = new PROCESSENTRY32(); procEntry.dwSize = (UInt32)Marshal.SizeOf(typeof(PROCESSENTRY32)); handleToSnapshot = CreateToolhelp32Snapshot((uint)SnapshotFlags.Process, 0); if (Process32First(handleToSnapshot, ref procEntry)) { do { RunningProcess pre = new RunningProcess(); pre.ListProcessModule = new List <LoadedModule>(); pre.PID = procEntry.th32ProcessID; pre.ProcessName = procEntry.szExeFile; pre.PPID = procEntry.th32ParentProcessID; pre.ParentName = GetMainModuleFilepath((int)pre.PPID); string s1 = winaudits.ProcessList.GetProcessParametersString((int)procEntry.th32ProcessID, PEB_OFFSET.CommandLine, pre); if (!string.IsNullOrEmpty(pre.Path)) { Forensics.CryptInfo ci; if (lstCertInfo.ContainsKey(pre.Path)) { ci = lstCertInfo[pre.Path]; } else { ci = Forensics.SigVerify.CheckSignatureForFile(pre.Path); ci.MD5 = Forensics.ProxyMD5.ComputeFileMD5(pre.Path); lstCertInfo.Add(pre.Path, ci); } pre.MD5 = ci.MD5; pre.IsSigned = ci.IsSigned; pre.IsVerified = ci.IsVerified; pre.CertSubject = ci.Subject; pre.CA = ci.CA; pre.SignatureString = ci.Signature; } foreach (var modu in pre.ListProcessModule) { modu.ProcessId = (int)pre.PID; if (!string.IsNullOrEmpty(modu.ModulePath)) { modu.ModuleName = Path.GetFileName(modu.ModulePath); } Forensics.CryptInfo ci; if (lstCertInfo.ContainsKey(modu.ModulePath)) { ci = lstCertInfo[modu.ModulePath]; } else { ci = Forensics.SigVerify.CheckSignatureForFile(modu.ModulePath); ci.MD5 = Forensics.ProxyMD5.ComputeFileMD5(modu.ModulePath); lstCertInfo.Add(modu.ModulePath, ci); } modu.MD5 = ci.MD5; modu.IsSigned = ci.IsSigned; modu.IsVerified = ci.IsVerified; modu.CertSubject = ci.Subject; modu.CA = ci.CA; modu.SignatureString = ci.Signature; } prelem.Add(pre); } while (Process32Next(handleToSnapshot, ref procEntry)); } } catch (Exception) { return(prelem); } finally { // Must clean up the snapshot object! CloseHandle(handleToSnapshot); } return(prelem); }