private PebData ReadPebData() { if (_process.GetArchitecture() == Architecture.X86) { Span <byte> pebAddressBuffer = stackalloc byte[IntPtr.Size]; // Query the process for the address of its WOW64 PEB var ntStatus = Ntdll.NtQueryInformationProcess(_process.SafeHandle, ProcessInformationClass.Wow64Information, out pebAddressBuffer[0], pebAddressBuffer.Length, out _); if (ntStatus != NtStatus.Success) { throw new Win32Exception(Ntdll.RtlNtStatusToDosError(ntStatus)); } var pebAddress = MemoryMarshal.Read <IntPtr>(pebAddressBuffer); // Read the WOW64 PEB var peb = _process.ReadStructure <Peb32>(pebAddress); return(new PebData(SafeHelpers.CreateSafeIntPtr(peb.ApiSetMap), SafeHelpers.CreateSafeIntPtr(peb.Ldr))); } else { Span <byte> basicInformationBuffer = stackalloc byte[Unsafe.SizeOf <ProcessBasicInformation64>()]; // Query the process for its basic information var ntStatus = Ntdll.NtQueryInformationProcess(_process.SafeHandle, ProcessInformationClass.BasicInformation, out basicInformationBuffer[0], basicInformationBuffer.Length, out _); if (ntStatus != NtStatus.Success) { throw new Win32Exception(Ntdll.RtlNtStatusToDosError(ntStatus)); } var basicInformation = MemoryMarshal.Read <ProcessBasicInformation64>(basicInformationBuffer); // Read the PEB var peb = _process.ReadStructure <Peb64>(SafeHelpers.CreateSafeIntPtr(basicInformation.PebBaseAddress)); return(new PebData(SafeHelpers.CreateSafeIntPtr(peb.ApiSetMap), SafeHelpers.CreateSafeIntPtr(peb.Ldr))); } }
private static IntPtr GetLoaderAddress(Process process) { if (process.GetArchitecture() == Architecture.X86) { IntPtr pebAddress; if (Environment.Is64BitOperatingSystem) { // Query the process for the address of its WOW64 PEB pebAddress = process.QueryInformation <IntPtr>(ProcessInformationType.Wow64Information); } else { // Query the process for its basic information var basicInformation = process.QueryInformation <ProcessBasicInformation32>(ProcessInformationType.BasicInformation); pebAddress = SafeHelpers.CreateSafePointer(basicInformation.PebBaseAddress); } // Read the PEB var peb = process.ReadStructure <Peb32>(pebAddress); return(SafeHelpers.CreateSafePointer(peb.Ldr)); } else { // Query the process for its basic information var basicInformation = process.QueryInformation <ProcessBasicInformation64>(ProcessInformationType.BasicInformation); var pebAddress = SafeHelpers.CreateSafePointer(basicInformation.PebBaseAddress); // Read the PEB var peb = process.ReadStructure <Peb64>(pebAddress); return(SafeHelpers.CreateSafePointer(peb.Ldr)); } }
public void OnRecognize(string ruleName, string text, Action <string> speaker) { if (ruleName == RuleNames.First()) { var app = text.Replace(openPrefix, string.Empty).Trim(); string path; if (!lnkDict.TryGetValue(app, out path)) { return; } Process.Start(path); speaker(string.Format("Started {0}.", app)); return; } if (ruleName == RuleNames.Last()) { var app = text.Replace(closePrefix, string.Empty).Trim(); string path; if (!lnkDict.TryGetValue(app, out path)) { return; } var proc = Process.GetProcesses().OrderByDescending(p => SafeHelpers.GetStartTimeSafe(p)).FirstOrDefault( p => { var mod = SafeHelpers.GetModulesSafe(p).FirstOrDefault(); return(mod == null ? false : mod.FileName == path ? true : Path.GetFileName(mod.FileName) == Path.GetFileName(path)); }); if (proc == null) { speaker(string.Format("Couldn't find {0}!", app)); return; } SafeHelpers.TrySafe(() => proc.CloseMainWindow()); SafeHelpers.TrySafe(() => proc.Close()); SafeHelpers.TrySafe(() => proc.Kill()); speaker(string.Format("Closed {0}.", app)); return; } }
private static DateTime GetLogonTime() { return(Process.GetProcesses().Select(p => SafeHelpers.GetStartTimeSafe(p)).Min().GetValueOrDefault()); }
internal IEnumerable <Module> ReadModules() { if (_process.GetArchitecture() == Architecture.X86) { // Read the loader data of the PEB var loaderData = _process.ReadStructure <PebLdrData32>(_pebData.LoaderAddress); // Traverse the InMemoryOrder module list var currentEntryAddress = SafeHelpers.CreateSafeIntPtr(loaderData.InMemoryOrderModuleList.Flink); var inMemoryOrderLinksOffset = Marshal.OffsetOf <LdrDataTableEntry32>("InMemoryOrderLinks"); while (true) { // Read the entry var entryAddress = currentEntryAddress - (int)inMemoryOrderLinksOffset; var entry = _process.ReadStructure <LdrDataTableEntry32>(entryAddress); // Read the file path of the entry var entryFilePathAddress = SafeHelpers.CreateSafeIntPtr(entry.FullDllName.Buffer); var entryFilePathBuffer = _process.ReadBuffer <byte>(entryFilePathAddress, entry.FullDllName.Length); var entryFilePath = Encoding.Unicode.GetString(entryFilePathBuffer); if (Environment.Is64BitOperatingSystem) { // Redirect the file path to the WOW64 system directory entryFilePath = entryFilePath.Replace("System32", "SysWOW64", StringComparison.OrdinalIgnoreCase); } // Read the name of the entry var entryNameAddress = SafeHelpers.CreateSafeIntPtr(entry.BaseDllName.Buffer); var entryNameBuffer = _process.ReadBuffer <byte>(entryNameAddress, entry.BaseDllName.Length); var entryName = Encoding.Unicode.GetString(entryNameBuffer); yield return(new Module(SafeHelpers.CreateSafeIntPtr(entry.DllBase), entryFilePath, entryName)); if ((int)currentEntryAddress == loaderData.InMemoryOrderModuleList.Blink) { break; } // Set the address of the next entry currentEntryAddress = SafeHelpers.CreateSafeIntPtr(entry.InMemoryOrderLinks.Flink); } } else { // Read the loader data of the PEB var loaderData = _process.ReadStructure <PebLdrData64>(_pebData.LoaderAddress); // Traverse the InMemoryOrder module list var currentEntryAddress = SafeHelpers.CreateSafeIntPtr(loaderData.InMemoryOrderModuleList.Flink); var inMemoryOrderLinksOffset = Marshal.OffsetOf <LdrDataTableEntry64>("InMemoryOrderLinks"); while (true) { // Read the entry var entryAddress = currentEntryAddress - (int)inMemoryOrderLinksOffset; var entry = _process.ReadStructure <LdrDataTableEntry64>(entryAddress); // Read the file path of the entry var entryFilePathAddress = SafeHelpers.CreateSafeIntPtr(entry.FullDllName.Buffer); var entryFilePathBuffer = _process.ReadBuffer <byte>(entryFilePathAddress, entry.FullDllName.Length); var entryFilePath = Encoding.Unicode.GetString(entryFilePathBuffer); // Read the name of the entry var entryNameAddress = SafeHelpers.CreateSafeIntPtr(entry.BaseDllName.Buffer); var entryNameBuffer = _process.ReadBuffer <byte>(entryNameAddress, entry.BaseDllName.Length); var entryName = Encoding.Unicode.GetString(entryNameBuffer); yield return(new Module(SafeHelpers.CreateSafeIntPtr(entry.DllBase), entryFilePath, entryName)); if ((long)currentEntryAddress == loaderData.InMemoryOrderModuleList.Blink) { break; } // Set the address of the next entry currentEntryAddress = SafeHelpers.CreateSafeIntPtr(entry.InMemoryOrderLinks.Flink); } } }
internal Module?GetModule(string moduleName) { if (_process.GetArchitecture() == Architecture.X86) { // Read the loader data var loaderData = _process.ReadStructure <PebLdrData32>(_address); var currentEntryAddress = SafeHelpers.CreateSafePointer(loaderData.InLoadOrderModuleList.Flink); while (true) { // Read the entry var entry = _process.ReadStructure <LdrDataTableEntry32>(currentEntryAddress); // Read the name of the entry var entryNameAddress = SafeHelpers.CreateSafePointer(entry.BaseDllName.Buffer); var entryName = _process.ReadString(entryNameAddress, entry.BaseDllName.Length); if (moduleName.Equals(entryName, StringComparison.OrdinalIgnoreCase)) { // Read the file path of the entry var entryFilePathAddress = SafeHelpers.CreateSafePointer(entry.FullDllName.Buffer); var entryFilePath = _process.ReadString(entryFilePathAddress, entry.FullDllName.Length); if (Environment.Is64BitOperatingSystem) { // Redirect the file path to the WOW64 directory entryFilePath = entryFilePath.Replace("System32", "SysWOW64", StringComparison.OrdinalIgnoreCase); } return(new Module(SafeHelpers.CreateSafePointer(entry.DllBase), entryName, new PeImage(File.ReadAllBytes(entryFilePath)))); } if (currentEntryAddress.ToInt32() == loaderData.InLoadOrderModuleList.Blink) { break; } currentEntryAddress = SafeHelpers.CreateSafePointer(entry.InLoadOrderLinks.Flink); } } else { // Read the loader data var loaderData = _process.ReadStructure <PebLdrData64>(_address); var currentEntryAddress = SafeHelpers.CreateSafePointer(loaderData.InLoadOrderModuleList.Flink); while (true) { // Read the entry var entry = _process.ReadStructure <LdrDataTableEntry64>(currentEntryAddress); // Read the name of the entry var entryNameAddress = SafeHelpers.CreateSafePointer(entry.BaseDllName.Buffer); var entryName = _process.ReadString(entryNameAddress, entry.BaseDllName.Length); if (moduleName.Equals(entryName, StringComparison.OrdinalIgnoreCase)) { // Read the file path of the entry var entryFilePathAddress = SafeHelpers.CreateSafePointer(entry.FullDllName.Buffer); var entryFilePath = _process.ReadString(entryFilePathAddress, entry.FullDllName.Length); return(new Module(SafeHelpers.CreateSafePointer(entry.DllBase), entryName, new PeImage(File.ReadAllBytes(entryFilePath)))); } if (currentEntryAddress.ToInt64() == loaderData.InLoadOrderModuleList.Blink) { break; } currentEntryAddress = SafeHelpers.CreateSafePointer(entry.InLoadOrderLinks.Flink); } } return(null); }