async private Task PsList_Method2() { await Task.Run(() => { try { PsList2 psList = new PsList2(_profile, _dataProvider, _processList); HashSet <ulong> results = psList.Run(); foreach (ulong address in results) { EProcess ep = new EProcess(_profile, _dataProvider, address); string name = ep.ImageFileName; uint pid = ep.Pid; if (pid == 0 || name == "") { continue; } ProcessInfo p = GetProcessInfo(pid, name); if (p == null) { p = new ProcessInfo(); p.AddressSpace = _kernelAddressSpace; p.ProcessName = name; p.Pid = pid; p.Dtb = ep.DTB; p.ParentPid = ep.Ppid; p.ActiveThreads = ep.ActiveThreads; p.Session = ep.Session; p.StartTime = ep.StartTime; p.ExitTime = ep.ExitTime; p.ObjectTableAddress = ep.ObjectTable; p.FoundByMethod2 = true; p.PhysicalAddress = ep.PhysicalAddress; p.VirtualAddress = ep.VirtualAddress; AddProcess(p); } else { p.FoundByMethod2 = true; } } } catch (Exception ex) { Debug.WriteLine(ex.Message); return; } }); }
private void ProcessAProcess(object sender, DoWorkEventArgs e) { BackgroundWorker worker = sender as BackgroundWorker; Job job = e.Argument as Job; AddDebugMessage("Background Worker: " + job.ProcessInformation.ProcessName); // get the EPROCESS object EProcess ep = null; // pid 0 is special because it's the Idle process and has no virtual address lock (_profile.AccessLock) { if (job.ProcessInformation.Pid == 0) { ep = new EProcess(_profile, _dataProvider, physicalAddress: job.ProcessInformation.PhysicalAddress); } else { ep = new EProcess(_profile, _dataProvider, job.ProcessInformation.VirtualAddress); } } if (ep.Pid != job.ProcessInformation.Pid) { job.Status = JobStatus.Failed; job.ErrorMessage = "EPROCESS Virtual Address resulted in a different PID to the Process Pid"; e.Result = job; return; } job.ProcessInformation.HandleTableAddress = ep.ObjectTable; //lock (_profile.AccessLock) { Handles handles = new Handles(_profile, _dataProvider, job.ProcessInformation.Pid, job.ProcessInformation.HandleTableAddress); job.ProcessInformation.HandleTable = handles.Run(); } if (job.ProcessInformation.HandleTable != null && job.ProcessInformation.HandleTable.Count > 0) { ProcessHandleTable(job.ProcessInformation); } job.Status = JobStatus.Complete; if (job.ProcessInformation.HandleTable == null) { job.Status = JobStatus.Failed; job.ErrorMessage = "Process Had No Handles"; } e.Result = job; }
public PlannerTask(string text, EPriority priority, DateTime dateEnd, EState state, EProcess process) { Text = text; Priority = priority; DateEnd = dateEnd; State = state; Process = process; // установка нескольких флагов Process = EProcess.ResourceDepleted | EProcess.Pending; // проверка включенного флага if (Process.HasFlag(EProcess.ResourceDepleted)) { // включен } }
public void Run() { try { if (0 == _pid) { return; } _isx64 = (_profile.Architecture == "AMD64"); _processInfo = _profile.Model.FindProcess(_pid); if (null == _processInfo) { return; } EProcess ep = new EProcess(_profile, _dataProvider, _processInfo.VirtualAddress); ulong vadRoot = ep.Members.VadRoot & 0xffffffffffff; Traverse(vadRoot, 0); } catch { } }
public ulong FindKernelDtbBody() { ulong physicalAddress = 0; bool escape = false; // check if we already have it (from the live image) if (_kernelDtb == 0) { ulong filenameOffset = _profile.GetOffset("_EPROCESS", "ImageFileName"); StringSearch mySearch = new StringSearch(_dataProvider); mySearch.AddNeedle("Idle\x00\x00\x00\x00\x00\x00\x00"); foreach (var answer in mySearch.Scan()) { if (escape) { break; } try { List <ulong> hitList = answer.First().Value; foreach (ulong hit in hitList) { try { EProcess ep = new EProcess(_profile, _dataProvider, 0, hit - filenameOffset); dynamic test = ep.Members; _kernelDtb = ep.DTB; if (_kernelDtb > _dataProvider.ImageLength || _kernelDtb == 0) { _kernelDtb = 0; continue; } if (ep.Pid != 0 || ep.Ppid != 0) { _kernelDtb = 0; continue; } InfoHelper helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = "0x" + _kernelDtb.ToString("X08") + " (" + _kernelDtb.ToString() + ")"; helper.Title = "Directory Table Base"; AddToInfoDictionary("Directory Table Base", helper); //helper = new InfoHelper(); //helper.Type = InfoHelperType.InfoDictionary; //helper.Name = ep.Pid.ToString(); //helper.Title = "PID"; //AddToInfoDictionary("PID", helper); //helper = new InfoHelper(); //helper.Type = InfoHelperType.InfoDictionary; //helper.Name = ep.Ppid.ToString(); //helper.Title = "Parent PID"; //AddToInfoDictionary("Parent PID", helper); physicalAddress = (ulong)ep.PhysicalAddress; escape = true; break; } catch (Exception ex) { continue; } } } catch (Exception) { } } } return(physicalAddress); }
public HashSet <ulong> Run() { // first let's see if it already exists FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_CSRSS.gz"); if (cachedFile.Exists && !_dataProvider.IsLive) { OffsetMap cachedMap = RetrieveOffsetMap(cachedFile); if (cachedMap != null) { return(cachedMap.OffsetRecords); } } HashSet <ulong> results = new HashSet <ulong>(); // check to see if we already have a process list with CSRSS in it if (_processList != null) { foreach (ProcessInfo info in _processList) { try { if (info.ProcessName == "csrss.exe") { ulong handleTableAddress = info.ObjectTableAddress; HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress); List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level); foreach (HandleTableEntry e in records) { try { ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer); string objectName = GetObjectName(e.TypeInfo); if (objectName == "Process") { results.Add(e.ObjectPointer + (ulong)header.Size); } } catch (Exception) { continue; } } } } catch (Exception ex) { continue; } } if (results.Count > 0) { return(TrySave(results)); } } // either we didn't have a process list, or it didn't contain any CSRSS processes uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead"); ulong vAddr = _profile.KernelBaseAddress + processHeadOffset; _dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace; LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr); ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks"); List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le); foreach (LIST_ENTRY entry in lists) { if (entry.VirtualAddress == vAddr) { continue; } if (entry.VirtualAddress == 0) { continue; } EProcess ep = new EProcess(_profile, _dataProvider, entry.VirtualAddress - apl); if (ep.ImageFileName == "csrss.exe") { ulong handleTableAddress = ep.ObjectTable; HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress); List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level); foreach (HandleTableEntry e in records) { try { ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer); string objectName = GetObjectName(e.TypeInfo); if (objectName == "Process") { results.Add(e.ObjectPointer + (ulong)header.Size); } } catch (Exception) { continue; } } } } return(TrySave(results)); }