async private Task PsList_Method2()
{
await Task.Run(() =>
{
try
{
PsList2 psList = new PsList2(_profile, _dataProvider, _processList);
HashSet <ulong> results = psList.Run();
foreach (ulong address in results)
{
EProcess ep = new EProcess(_profile, _dataProvider, address);
string name = ep.ImageFileName;
uint pid = ep.Pid;
if (pid == 0 || name == "")
{
continue;
}
ProcessInfo p = GetProcessInfo(pid, name);
if (p == null)
{
p = new ProcessInfo();
p.AddressSpace = _kernelAddressSpace;
p.ProcessName = name;
p.Pid = pid;
p.Dtb = ep.DTB;
p.ParentPid = ep.Ppid;
p.ActiveThreads = ep.ActiveThreads;
p.Session = ep.Session;
p.StartTime = ep.StartTime;
p.ExitTime = ep.ExitTime;
p.ObjectTableAddress = ep.ObjectTable;
p.FoundByMethod2 = true;
p.PhysicalAddress = ep.PhysicalAddress;
p.VirtualAddress = ep.VirtualAddress;
AddProcess(p);
}
else
{
p.FoundByMethod2 = true;
}
}
}
catch (Exception ex)
{
Debug.WriteLine(ex.Message);
return;
}
});
}
private void ProcessAProcess(object sender, DoWorkEventArgs e)
{
BackgroundWorker worker = sender as BackgroundWorker;
Job job = e.Argument as Job;
AddDebugMessage("Background Worker: " + job.ProcessInformation.ProcessName);
// get the EPROCESS object
EProcess ep = null;
// pid 0 is special because it's the Idle process and has no virtual address
lock (_profile.AccessLock)
{
if (job.ProcessInformation.Pid == 0)
{
ep = new EProcess(_profile, _dataProvider, physicalAddress: job.ProcessInformation.PhysicalAddress);
}
else
{
ep = new EProcess(_profile, _dataProvider, job.ProcessInformation.VirtualAddress);
}
}
if (ep.Pid != job.ProcessInformation.Pid)
{
job.Status = JobStatus.Failed;
job.ErrorMessage = "EPROCESS Virtual Address resulted in a different PID to the Process Pid";
e.Result = job;
return;
}
job.ProcessInformation.HandleTableAddress = ep.ObjectTable;
//lock (_profile.AccessLock)
{
Handles handles = new Handles(_profile, _dataProvider, job.ProcessInformation.Pid, job.ProcessInformation.HandleTableAddress);
job.ProcessInformation.HandleTable = handles.Run();
}
if (job.ProcessInformation.HandleTable != null && job.ProcessInformation.HandleTable.Count > 0)
{
ProcessHandleTable(job.ProcessInformation);
}
job.Status = JobStatus.Complete;
if (job.ProcessInformation.HandleTable == null)
{
job.Status = JobStatus.Failed;
job.ErrorMessage = "Process Had No Handles";
}
e.Result = job;
}
public PlannerTask(string text, EPriority priority, DateTime dateEnd, EState state, EProcess process)
{
Text = text;
Priority = priority;
DateEnd = dateEnd;
State = state;
Process = process;
// установка нескольких флагов
Process = EProcess.ResourceDepleted | EProcess.Pending;
// проверка включенного флага
if (Process.HasFlag(EProcess.ResourceDepleted))
{
// включен
}
}
public void Run()
{
try
{
if (0 == _pid)
{
return;
}
_isx64 = (_profile.Architecture == "AMD64");
_processInfo = _profile.Model.FindProcess(_pid);
if (null == _processInfo)
{
return;
}
EProcess ep = new EProcess(_profile, _dataProvider, _processInfo.VirtualAddress);
ulong vadRoot = ep.Members.VadRoot & 0xffffffffffff;
Traverse(vadRoot, 0);
}
catch { }
}
public ulong FindKernelDtbBody()
{
ulong physicalAddress = 0;
bool escape = false;
// check if we already have it (from the live image)
if (_kernelDtb == 0)
{
ulong filenameOffset = _profile.GetOffset("_EPROCESS", "ImageFileName");
StringSearch mySearch = new StringSearch(_dataProvider);
mySearch.AddNeedle("Idle\x00\x00\x00\x00\x00\x00\x00");
foreach (var answer in mySearch.Scan())
{
if (escape)
{
break;
}
try
{
List <ulong> hitList = answer.First().Value;
foreach (ulong hit in hitList)
{
try
{
EProcess ep = new EProcess(_profile, _dataProvider, 0, hit - filenameOffset);
dynamic test = ep.Members;
_kernelDtb = ep.DTB;
if (_kernelDtb > _dataProvider.ImageLength || _kernelDtb == 0)
{
_kernelDtb = 0;
continue;
}
if (ep.Pid != 0 || ep.Ppid != 0)
{
_kernelDtb = 0;
continue;
}
InfoHelper helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = "0x" + _kernelDtb.ToString("X08") + " (" + _kernelDtb.ToString() + ")";
helper.Title = "Directory Table Base";
AddToInfoDictionary("Directory Table Base", helper);
//helper = new InfoHelper();
//helper.Type = InfoHelperType.InfoDictionary;
//helper.Name = ep.Pid.ToString();
//helper.Title = "PID";
//AddToInfoDictionary("PID", helper);
//helper = new InfoHelper();
//helper.Type = InfoHelperType.InfoDictionary;
//helper.Name = ep.Ppid.ToString();
//helper.Title = "Parent PID";
//AddToInfoDictionary("Parent PID", helper);
physicalAddress = (ulong)ep.PhysicalAddress;
escape = true;
break;
}
catch (Exception ex)
{
continue;
}
}
}
catch (Exception)
{
}
}
}
return(physicalAddress);
}
public HashSet <ulong> Run()
{
// first let's see if it already exists
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_CSRSS.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
OffsetMap cachedMap = RetrieveOffsetMap(cachedFile);
if (cachedMap != null)
{
return(cachedMap.OffsetRecords);
}
}
HashSet <ulong> results = new HashSet <ulong>();
// check to see if we already have a process list with CSRSS in it
if (_processList != null)
{
foreach (ProcessInfo info in _processList)
{
try
{
if (info.ProcessName == "csrss.exe")
{
ulong handleTableAddress = info.ObjectTableAddress;
HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress);
List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level);
foreach (HandleTableEntry e in records)
{
try
{
ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer);
string objectName = GetObjectName(e.TypeInfo);
if (objectName == "Process")
{
results.Add(e.ObjectPointer + (ulong)header.Size);
}
}
catch (Exception)
{
continue;
}
}
}
}
catch (Exception ex)
{
continue;
}
}
if (results.Count > 0)
{
return(TrySave(results));
}
}
// either we didn't have a process list, or it didn't contain any CSRSS processes
uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead");
ulong vAddr = _profile.KernelBaseAddress + processHeadOffset;
_dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace;
LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr);
ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks");
List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le);
foreach (LIST_ENTRY entry in lists)
{
if (entry.VirtualAddress == vAddr)
{
continue;
}
if (entry.VirtualAddress == 0)
{
continue;
}
EProcess ep = new EProcess(_profile, _dataProvider, entry.VirtualAddress - apl);
if (ep.ImageFileName == "csrss.exe")
{
ulong handleTableAddress = ep.ObjectTable;
HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress);
List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level);
foreach (HandleTableEntry e in records)
{
try
{
ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer);
string objectName = GetObjectName(e.TypeInfo);
if (objectName == "Process")
{
results.Add(e.ObjectPointer + (ulong)header.Size);
}
}
catch (Exception)
{
continue;
}
}
}
}
return(TrySave(results));
}
