private void decommitMenuItem_Click(object sender, EventArgs e) { if (PhUtils.ShowConfirmMessage( "decommit", "the memory region", "Decommitting memory regions may cause the process to crash.", true )) { try { using (ProcessHandle phandle = new ProcessHandle(_pid, ProcessAccess.VmOperation)) { MemoryItem item = (MemoryItem)listMemory.SelectedItems[0].Tag; phandle.FreeMemory(item.Address, (int)item.Size, true); } } catch (Exception ex) { PhUtils.ShowException("Unable to decommit the memory region", ex); } } }
private void removeMenuItem_Click(object sender, EventArgs e) { if (PhUtils.ShowConfirmMessage( "remove", "the selected privilege(s)", "Removing privileges may reduce the functionality of the process, " + "and is permanent for the lifetime of the process.", false )) { foreach (ListViewItem item in listPrivileges.SelectedItems) { try { using (var thandle = _object.GetToken(TokenAccess.AdjustPrivileges)) thandle.SetPrivilege(item.Text, SePrivilegeAttributes.Removed); item.Remove(); } catch (Exception ex) { if (!PhUtils.ShowContinueMessage( "Unable to remove " + item.Text, ex )) { return; } } } } }
private void destroyMenuItem_Click(object sender, EventArgs e) { if (!PhUtils.ShowConfirmMessage( "destroy", "the selected heap", "Destroying a heap may cause the process to crash.", true )) { return; } try { using (var phandle = new ProcessHandle(_pid, ProcessAccess.CreateThread | ProcessAccess.QueryInformation | ProcessAccess.VmOperation)) { // Use RtlCreateUserThread to cross session boundaries. RtlDestroyHeap doesn't need // the Win32 subsystem so we don't have to notify CSR. phandle.CreateThread( Win32.GetProcAddress(Win32.GetModuleHandle("ntdll.dll"), "RtlDestroyHeap"), ((HeapInformation)listHeaps.SelectedItems[0].Tag).Address ).Dispose(); } listHeaps.SelectedItems[0].ForeColor = Color.Red; listHeaps.SelectedItems.Clear(); } catch (WindowsException ex) { PhUtils.ShowException("Unable to destroy the heap", ex); } }
private void buttonRun_Click(object sender, EventArgs e) { if (!PhUtils.ShowConfirmMessage("run", "the tests", null, false)) { return; } foreach (string test in _tests) { if (test == "TT4") { if (!PhUtils.ShowConfirmMessage( "run", "the TT4 test", "This test may cause the system to crash.", true )) { continue; } } if (this.RunTest(test)) { return; } } }
private void listTests_DoubleClick(object sender, EventArgs e) { if (!PhUtils.ShowConfirmMessage("run", "the selected test", null, false)) { return; } this.RunTest(listTests.SelectedItems[0].Name); }
private void buttonReset_Click(object sender, EventArgs e) { if (PhUtils.ShowConfirmMessage("reset", "the settings and restart Process Hacker", null, false)) { Settings.Instance.Reset(); Program.GlobalMutex.Dispose(); Program.TryStart(ProcessHandle.Current.MainModule.FileName); Program.HackerWindow.Exit(false); } }
public static bool ConfirmHandleClose() { if (Settings.Instance.WarnDangerous) { return(PhUtils.ShowConfirmMessage( "close", "the selected handle(s)", "Closing handles may cause system instability and data corruption.", false )); } return(true); }
private void SetDepStatusNoKph() { if (comboStatus.SelectedItem.ToString().StartsWith("Enabled")) { if (!PhUtils.ShowConfirmMessage( "set", "the DEP status", "Enabling DEP in a process is a permanent action.", false)) { return; } } DepFlags flags = DepFlags.Enable; if (comboStatus.SelectedItem.ToString() == "Disabled") { flags = DepFlags.Disable; } else if (comboStatus.SelectedItem.ToString() == "Enabled") { flags = DepFlags.Enable; } else if (comboStatus.SelectedItem.ToString() == "Enabled, DEP-ATL thunk emulation disabled") { flags = DepFlags.Enable | DepFlags.DisableAtlThunkEmulation; } else { PhUtils.ShowError("Invalid value."); return; } try { IntPtr kernel32 = Win32.GetModuleHandle("kernel32.dll"); IntPtr setProcessDepPolicy = Win32.GetProcAddress(kernel32, "SetProcessDEPPolicy"); if (setProcessDepPolicy == IntPtr.Zero) { throw new Exception("This feature is not supported on your version of Windows."); } using (ProcessHandle phandle = new ProcessHandle(_pid, Program.MinProcessQueryRights | ProcessAccess.VmOperation | ProcessAccess.VmRead | ProcessAccess.CreateThread)) { var thread = phandle.CreateThreadWin32(setProcessDepPolicy, new IntPtr((int)flags)); thread.Wait(1000 * Win32.TimeMsTo100Ns); int exitCode = thread.GetExitCode(); if (exitCode == 0) { throw new Exception("Unspecified error."); } } this.DialogResult = DialogResult.OK; this.Close(); } catch (Exception ex) { PhUtils.ShowException("Unable to set the DEP status", ex); } }
private void unloadMenuItem_Click(object sender, EventArgs e) { if (!PhUtils.ShowConfirmMessage( "Unload", _pid != 4 ? "the selected module" : "the selected driver", _pid != 4 ? "Unloading a module may cause the process to crash." : "Unloading a driver may cause system instability.", true )) { return; } if (_pid == 4) { try { var moduleItem = (ModuleItem)listModules.SelectedItems[0].Tag; string serviceName = null; // Try to find the name of the service key for the driver by // looping through the objects in the Driver directory and // opening each one. using (var dhandle = new DirectoryHandle("\\Driver", DirectoryAccess.Query)) { foreach (var obj in dhandle.GetObjects()) { try { using (var driverHandle = new DriverHandle("\\Driver\\" + obj.Name)) { if (driverHandle.GetBasicInformation().DriverStart == moduleItem.BaseAddress) { serviceName = driverHandle.GetServiceKeyName(); break; } } } catch { } } } // If we didn't find the service name, use the driver base name. if (serviceName == null) { if (moduleItem.Name.ToLower().EndsWith(".sys")) { serviceName = moduleItem.Name.Remove(moduleItem.Name.Length - 4, 4); } else { serviceName = moduleItem.Name; } } RegistryKey servicesKey = Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Services", true); bool serviceKeyCreated; RegistryKey serviceKey; // Check if the service key exists so that we don't delete it // later if it does. if (Array.Exists <string>(servicesKey.GetSubKeyNames(), (keyName) => (string.Compare(keyName, serviceName, true) == 0))) { serviceKeyCreated = false; } else { serviceKeyCreated = true; // Create the service key. serviceKey = servicesKey.CreateSubKey(serviceName); serviceKey.SetValue("ErrorControl", 1, RegistryValueKind.DWord); serviceKey.SetValue("ImagePath", "\\??\\" + moduleItem.FileName, RegistryValueKind.ExpandString); serviceKey.SetValue("Start", 1, RegistryValueKind.DWord); serviceKey.SetValue("Type", 1, RegistryValueKind.DWord); serviceKey.Close(); servicesKey.Flush(); } try { Windows.UnloadDriver(serviceName); } finally { if (serviceKeyCreated) { servicesKey.DeleteSubKeyTree(serviceName); } servicesKey.Close(); } listModules.SelectedItems.Clear(); } catch (Exception ex) { MessageBox.Show("Unable to unload the driver. Make sure Process Hacker " + "is running with administrative privileges. Error:\n\n" + ex.Message, "Process Hacker", MessageBoxButtons.OK, MessageBoxIcon.Error); } } else { try { using (ProcessHandle phandle = new ProcessHandle(_pid, Program.MinProcessQueryRights | ProcessAccess.VmOperation | ProcessAccess.VmRead | ProcessAccess.VmWrite | ProcessAccess.CreateThread)) { IntPtr baseAddress = ((ModuleItem)listModules.SelectedItems[0].Tag).BaseAddress; phandle.SetModuleReferenceCount(baseAddress, 1); ThreadHandle thread; if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista)) { // Use RtlCreateUserThread to bypass session boundaries. Since // LdrUnloadDll is a native function we don't need to notify CSR. thread = phandle.CreateThread( Loader.GetProcedure("ntdll.dll", "LdrUnloadDll"), baseAddress ); } else { // On XP it seems we need to notify CSR... thread = phandle.CreateThreadWin32( Loader.GetProcedure("kernel32.dll", "FreeLibrary"), baseAddress ); } thread.Wait(1000 * Win32.TimeMsTo100Ns); NtStatus exitStatus = thread.GetExitStatus(); if (exitStatus == NtStatus.DllNotFound) { if (IntPtr.Size == 8) { PhUtils.ShowError("Unable to find the module to unload. This may be caused " + "by an attempt to unload a mapped file or a 32-bit module."); } else { PhUtils.ShowError("Unable to find the module to unload. This may be caused " + "by an attempt to unload a mapped file."); } } else { exitStatus.ThrowIf(); } thread.Dispose(); } listModules.SelectedItems.Clear(); } catch (Exception ex) { PhUtils.ShowException("Unable to unload the module", ex); } } }