private void LoadHandles(MemoryObject mo) { var dict = Dump.GetDictionary(mo); HandleItem item = new HandleItem(); if (!dict.ContainsKey("Handle")) { return; } item.Handle.ProcessId = _item.Pid; item.Handle.Flags = (HandleFlags)Dump.ParseInt32(dict["Flags"]); item.Handle.Handle = (short)Dump.ParseInt32(dict["Handle"]); // Not really needed, just fill it in ignoring 32-bit vs 64-bit // differences. item.Handle.Object = (Dump.ParseInt64(dict["Object"]) & 0xffffffff).ToIntPtr(); item.Handle.GrantedAccess = Dump.ParseInt32(dict["GrantedAccess"]); if (dict.ContainsKey("TypeName")) { item.ObjectInfo.TypeName = dict["TypeName"]; item.ObjectInfo.BestName = dict["ObjectName"]; } if (Settings.Instance.HideHandlesWithNoName) { if (string.IsNullOrEmpty(item.ObjectInfo.BestName)) { return; } } listHandles.AddItem(item); }
private void LoadSystemInformation() { MemoryObject sysInfoMo; sysInfoMo = _mfs.RootObject.GetChild("SystemInformation"); if (sysInfoMo == null) { PhUtils.ShowWarning("The dump file does not contain system information. This most likely " + "means the file is corrupt."); return; } var dict = Dump.GetDictionary(sysInfoMo); sysInfoMo.Dispose(); _phVersion = dict["ProcessHackerVersion"]; _osVersion = dict["OSVersion"]; _architecture = (OSArch)Dump.ParseInt32(dict["Architecture"]); _userName = dict["UserName"]; treeProcesses.DumpUserName = _userName; this.Text = "Process Hacker " + _phVersion + " [" + _userName + "] (" + _osVersion + ", " + (_architecture == OSArch.I386 ? "32-bit" : "64-bit") + ")"; }
private void LoadService(MemoryObject mo) { ServiceItem item = new ServiceItem(); var dict = Dump.GetDictionary(mo); item.Status.ServiceName = dict["Name"]; item.Status.DisplayName = dict["DisplayName"]; item.Status.ServiceStatusProcess.ControlsAccepted = (ServiceAccept)Dump.ParseInt32(dict["ControlsAccepted"]); item.Status.ServiceStatusProcess.CurrentState = (ServiceState)Dump.ParseInt32(dict["State"]); item.Status.ServiceStatusProcess.ProcessID = Dump.ParseInt32(dict["ProcessId"]); item.Status.ServiceStatusProcess.ServiceFlags = (ServiceFlags)Dump.ParseInt32(dict["Flags"]); item.Status.ServiceStatusProcess.ServiceType = (ServiceType)Dump.ParseInt32(dict["Type"]); if (dict.ContainsKey("BinaryPath")) { item.Config.BinaryPathName = dict["BinaryPath"]; item.Config.DisplayName = item.Status.DisplayName; item.Config.ErrorControl = (ServiceErrorControl)Dump.ParseInt32(dict["ErrorControl"]); item.Config.LoadOrderGroup = dict["Group"]; item.Config.ServiceStartName = dict["UserName"]; item.Config.ServiceType = item.Status.ServiceStatusProcess.ServiceType; item.Config.StartType = (ServiceStartType)Dump.ParseInt32(dict["StartType"]); if (dict.ContainsKey("ServiceDll")) { item.ServiceDll = dict["ServiceDll"]; } } _services.Add(item.Status.ServiceName, item); listServices.AddItem(item); if (item.Status.ServiceStatusProcess.ProcessID != 0) { if (!_processServices.ContainsKey(item.Status.ServiceStatusProcess.ProcessID)) { _processServices.Add(item.Status.ServiceStatusProcess.ProcessID, new List <string>()); } _processServices[item.Status.ServiceStatusProcess.ProcessID].Add(item.Status.ServiceName); } }
private void LoadModule(MemoryObject mo) { var dict = Dump.GetDictionary(mo); ModuleItem item = new ModuleItem(); item.BaseAddress = Dump.ParseUInt64(dict["BaseAddress"]); item.Size = Dump.ParseInt32(dict["Size"]); item.Flags = (LdrpDataTableEntryFlags)Dump.ParseInt32(dict["Flags"]); item.Name = dict["Name"]; item.FileName = dict["FileName"]; if (dict.ContainsKey("FileDescription")) { item.FileDescription = dict["FileDescription"]; item.FileCompanyName = dict["FileCompanyName"]; item.FileVersion = dict["FileVersion"]; } listModules.AddItem(item); }
public DumpServiceWindow(ServiceItem item, MemoryObject serviceMo) { InitializeComponent(); this.AddEscapeToClose(); _serviceMo = serviceMo; this.Text = "Service - " + item.Status.ServiceName; labelServiceName.Text = item.Status.ServiceName; labelServiceDisplayName.Text = item.Status.DisplayName; textServiceType.Text = item.Config.ServiceType.ToString(); if (item.Config.ServiceType == (ServiceType.Win32OwnProcess | ServiceType.InteractiveProcess)) { textServiceType.Text = "Win32OwnProcess, InteractiveProcess"; } else if (item.Config.ServiceType == (ServiceType.Win32ShareProcess | ServiceType.InteractiveProcess)) { textServiceType.Text = "Win32ShareProcess, InteractiveProcess"; } textStartType.Text = item.Config.StartType.ToString(); textErrorControl.Text = item.Config.ErrorControl.ToString(); textLoadOrderGroup.Text = item.Config.LoadOrderGroup; textServiceBinaryPath.Text = item.Config.BinaryPathName; textUserAccount.Text = item.Config.ServiceStartName; textServiceDll.Text = item.ServiceDll; try { var dict = Dump.GetDictionary(_serviceMo); if (dict.ContainsKey("Description")) { textDescription.Text = dict["Description"]; } } catch { } }
private void LoadEnvironment() { MemoryObject env = _processMo.GetChild("Environment"); if (env == null) { return; } IDictionary <string, string> dict = Dump.GetDictionary(env); foreach (var kvp in dict) { if (!string.IsNullOrEmpty(kvp.Key)) { listEnvironment.Items.Add(new ListViewItem(new[] { kvp.Key, kvp.Value })); } } env.Dispose(); }
private void LoadToken() { var token = _processMo.GetChild("Token"); if (token == null) { return; } var dict = Dump.GetDictionary(token); if (!dict.ContainsKey("UserName")) { return; } string elevated = dict.ContainsKey("Elevated") ? Dump.ParseBool(dict["Elevated"]).ToString() : "N/A"; string virtualization = dict.ContainsKey("VirtualizationAllowed") ? (Dump.ParseBool(dict["VirtualizationAllowed"]) ? (Dump.ParseBool(dict["VirtualizationEnabled"]) ? "Enabled" : "Disabled") : "Not Allowed") : "N/A"; _tokenProps.DumpSetTextToken( dict["UserName"], dict["UserStringSid"], dict["OwnerName"], dict["PrimaryGroupName"], Dump.ParseInt32(dict["SessionId"]).ToString(), elevated, virtualization ); if (dict.ContainsKey("SourceName")) { _tokenProps.DumpSetTextSource( dict["SourceName"], "0x" + Dump.ParseInt64(dict["SourceLuid"]).ToString("x") ); } _tokenProps.DumpSetTextAdvanced( ((TokenType)Dump.ParseInt32(dict["Type"])).ToString(), ((SecurityImpersonationLevel)Dump.ParseInt32(dict["ImpersonationLevel"])).ToString(), "0x" + Dump.ParseInt64(dict["Luid"]).ToString("x"), "0x" + Dump.ParseInt64(dict["AuthenticationLuid"]).ToString("x"), Utils.FormatSize(Dump.ParseInt32(dict["MemoryUsed"])), Utils.FormatSize(Dump.ParseInt32(dict["MemoryAvailable"])) ); using (var groups = token.GetChild("Groups")) { var groupsList = Dump.GetList(groups); foreach (var group in groupsList) { var split = group.Split(';'); _tokenProps.DumpAddGroup(split[0], (SidAttributes)Dump.ParseInt32(split[1])); } } using (var privileges = token.GetChild("Privileges")) { var privilegesList = Dump.GetList(privileges); foreach (var privilege in privilegesList) { var split = privilege.Split(';'); _tokenProps.DumpAddPrivilege( split[0], split[1], (SePrivilegeAttributes)Dump.ParseInt32(split[2]) ); } } token.Dispose(); }
private void LoadProperties() { var names = _processMo.ChildNames; if (names.Contains("LargeIcon")) { using (var largeIcon = _processMo.GetChild("LargeIcon")) pictureIcon.Image = Dump.GetIcon(largeIcon).ToBitmap(); } else { pictureIcon.Image = Properties.Resources.Process.ToBitmap(); } if (_item.VersionInfo != null) { textFileDescription.Text = _item.VersionInfo.FileDescription; textFileCompany.Text = _item.VersionInfo.CompanyName; textFileVersion.Text = _item.VersionInfo.FileVersion; } else { textFileDescription.Text = _item.Name; textFileCompany.Text = string.Empty; textFileVersion.Text = string.Empty; } textFileName.Text = _item.FileName; if (_item.VerifyResult == VerifyResult.Trusted) { if (!string.IsNullOrEmpty(_item.VerifySignerName)) { textFileCompany.Text = _item.VerifySignerName + " (verified)"; } else { textFileCompany.Text += " (verified)"; } } textStartTime.Text = _item.CreateTime.ToString(); textCmdLine.Text = _item.CmdLine; if (_item.HasParent) { if (_hw.Processes.ContainsKey(_item.ParentPid)) { textParent.Text = _hw.Processes[_item.ParentPid].Name + " (" + _item.ParentPid.ToString() + ")"; } else { textParent.Text = "Non-existent Process (" + _item.ParentPid.ToString() + ")"; buttonInspectParent.Enabled = false; } } else if (_item.ParentPid == -1) { textParent.Text = "No Parent Process"; buttonInspectParent.Enabled = false; } else { textParent.Text = "Non-existent Process (" + _item.ParentPid.ToString() + ")"; buttonInspectParent.Enabled = false; } using (var general = _processMo.GetChild("General")) { var dict = Dump.GetDictionary(general); if (dict.ContainsKey("CurrentDirectory")) { textCurrentDirectory.Text = dict["CurrentDirectory"]; } if (dict.ContainsKey("DepStatus")) { DepStatus status = (DepStatus)Dump.ParseInt32(dict["DepStatus"]); if ((status & DepStatus.Enabled) != 0) { textDEP.Text = "Enabled"; } else { textDEP.Text = "Disabled"; } if ((status & DepStatus.Permanent) != 0) { textDEP.Text += ", Permanent"; } if ((status & DepStatus.AtlThunkEmulationDisabled) != 0) { textDEP.Text += ", DEP-ATL thunk emulation disabled"; } } if (_hw.Architecture == OSArch.Amd64) { labelProcessType.Visible = true; labelProcessTypeValue.Visible = true; labelProcessTypeValue.Text = _item.IsWow64 ? "32-bit" : "64-bit"; } else { labelProcessType.Visible = false; labelProcessTypeValue.Visible = false; } } }
private void LoadProcess(MemoryObject mo) { var names = mo.GetChildNames(); ProcessItem pitem; if (!names.Contains("General")) { return; } IDictionary <string, string> generalDict; using (var general = mo.GetChild("General")) generalDict = Dump.GetDictionary(general); pitem = new ProcessItem(); pitem.Pid = Dump.ParseInt32(generalDict["ProcessId"]); pitem.Name = generalDict["Name"]; pitem.ParentPid = Dump.ParseInt32(generalDict["ParentPid"]); if (generalDict.ContainsKey("HasParent")) { pitem.HasParent = Dump.ParseBool(generalDict["HasParent"]); } if (generalDict.ContainsKey("StartTime")) { pitem.CreateTime = Dump.ParseDateTime(generalDict["StartTime"]); } if (generalDict.ContainsKey("SessionId")) { pitem.SessionId = Dump.ParseInt32(generalDict["SessionId"]); } if (generalDict.ContainsKey("FileName")) { pitem.FileName = generalDict["FileName"]; } if (generalDict.ContainsKey("FileDescription")) { pitem.VersionInfo = new ImageVersionInfo(); pitem.VersionInfo.FileDescription = generalDict["FileDescription"]; pitem.VersionInfo.CompanyName = generalDict["FileCompanyName"]; pitem.VersionInfo.FileVersion = generalDict["FileVersion"]; pitem.VersionInfo.FileName = pitem.FileName; } if (generalDict.ContainsKey("CommandLine")) { pitem.CmdLine = generalDict["CommandLine"]; } if (generalDict.ContainsKey("IsPosix")) { pitem.IsPosix = Dump.ParseBool(generalDict["IsPosix"]); } if (generalDict.ContainsKey("IsWow64")) { pitem.IsWow64 = Dump.ParseBool(generalDict["IsWow64"]); } if (generalDict.ContainsKey("IsBeingDebugged")) { pitem.IsBeingDebugged = Dump.ParseBool(generalDict["IsBeingDebugged"]); } if (generalDict.ContainsKey("UserName")) { pitem.Username = generalDict["UserName"]; } if (generalDict.ContainsKey("ElevationType")) { pitem.ElevationType = (TokenElevationType)Dump.ParseInt32(generalDict["ElevationType"]); } if (generalDict.ContainsKey("CpuUsage")) { pitem.CpuUsage = float.Parse(generalDict["CpuUsage"]); } if (generalDict.ContainsKey("JobName")) { pitem.JobName = generalDict["JobName"]; } if (generalDict.ContainsKey("IsInJob")) { pitem.IsInJob = Dump.ParseBool(generalDict["IsInJob"]); } if (generalDict.ContainsKey("IsInSignificantJob")) { pitem.IsInSignificantJob = Dump.ParseBool(generalDict["IsInSignificantJob"]); } if (generalDict.ContainsKey("Integrity")) { pitem.Integrity = generalDict["Integrity"]; } if (generalDict.ContainsKey("IntegrityLevel")) { pitem.IntegrityLevel = Dump.ParseInt32(generalDict["IntegrityLevel"]); } if (generalDict.ContainsKey("IsDotNet")) { pitem.IsDotNet = Dump.ParseBool(generalDict["IsDotNet"]); } if (generalDict.ContainsKey("IsPacked")) { pitem.IsPacked = Dump.ParseBool(generalDict["IsPacked"]); } if (generalDict.ContainsKey("VerifyResult")) { pitem.VerifyResult = (VerifyResult)Dump.ParseInt32(generalDict["VerifyResult"]); } if (generalDict.ContainsKey("VerifySignerName")) { pitem.VerifySignerName = generalDict["VerifySignerName"]; } if (generalDict.ContainsKey("ImportFunctions")) { pitem.ImportFunctions = Dump.ParseInt32(generalDict["ImportFunctions"]); } if (generalDict.ContainsKey("ImportModules")) { pitem.ImportModules = Dump.ParseInt32(generalDict["ImportModules"]); } if (names.Contains("SmallIcon")) { using (var smallIcon = mo.GetChild("SmallIcon")) pitem.Icon = Dump.GetIcon(smallIcon); } if (names.Contains("VmCounters")) { using (var vmCounters = mo.GetChild("VmCounters")) pitem.Process.VirtualMemoryCounters = Dump.GetStruct <VmCountersEx64>(vmCounters).ToVmCountersEx(); } if (names.Contains("IoCounters")) { using (var ioCounters = mo.GetChild("IoCounters")) pitem.Process.IoCounters = Dump.GetStruct <IoCounters>(ioCounters); } _processes.Add(pitem.Pid, pitem); treeProcesses.AddItem(pitem); }