예제 #1
0
        private void LoadHandles(MemoryObject mo)
        {
            var        dict = Dump.GetDictionary(mo);
            HandleItem item = new HandleItem();

            if (!dict.ContainsKey("Handle"))
            {
                return;
            }

            item.Handle.ProcessId = _item.Pid;
            item.Handle.Flags     = (HandleFlags)Dump.ParseInt32(dict["Flags"]);
            item.Handle.Handle    = (short)Dump.ParseInt32(dict["Handle"]);
            // Not really needed, just fill it in ignoring 32-bit vs 64-bit
            // differences.
            item.Handle.Object        = (Dump.ParseInt64(dict["Object"]) & 0xffffffff).ToIntPtr();
            item.Handle.GrantedAccess = Dump.ParseInt32(dict["GrantedAccess"]);

            if (dict.ContainsKey("TypeName"))
            {
                item.ObjectInfo.TypeName = dict["TypeName"];
                item.ObjectInfo.BestName = dict["ObjectName"];
            }

            if (Settings.Instance.HideHandlesWithNoName)
            {
                if (string.IsNullOrEmpty(item.ObjectInfo.BestName))
                {
                    return;
                }
            }

            listHandles.AddItem(item);
        }
예제 #2
0
        private void LoadToken()
        {
            var token = _processMo.GetChild("Token");

            if (token == null)
            {
                return;
            }

            var dict = Dump.GetDictionary(token);

            if (!dict.ContainsKey("UserName"))
            {
                return;
            }

            string elevated =
                dict.ContainsKey("Elevated") ?
                Dump.ParseBool(dict["Elevated"]).ToString() :
                "N/A";
            string virtualization =
                dict.ContainsKey("VirtualizationAllowed") ?
                (Dump.ParseBool(dict["VirtualizationAllowed"]) ?
                 (Dump.ParseBool(dict["VirtualizationEnabled"]) ? "Enabled" : "Disabled") :
                 "Not Allowed") : "N/A";

            _tokenProps.DumpSetTextToken(
                dict["UserName"],
                dict["UserStringSid"],
                dict["OwnerName"],
                dict["PrimaryGroupName"],
                Dump.ParseInt32(dict["SessionId"]).ToString(),
                elevated,
                virtualization
                );

            if (dict.ContainsKey("SourceName"))
            {
                _tokenProps.DumpSetTextSource(
                    dict["SourceName"],
                    "0x" + Dump.ParseInt64(dict["SourceLuid"]).ToString("x")
                    );
            }

            _tokenProps.DumpSetTextAdvanced(
                ((TokenType)Dump.ParseInt32(dict["Type"])).ToString(),
                ((SecurityImpersonationLevel)Dump.ParseInt32(dict["ImpersonationLevel"])).ToString(),
                "0x" + Dump.ParseInt64(dict["Luid"]).ToString("x"),
                "0x" + Dump.ParseInt64(dict["AuthenticationLuid"]).ToString("x"),
                Utils.FormatSize(Dump.ParseInt32(dict["MemoryUsed"])),
                Utils.FormatSize(Dump.ParseInt32(dict["MemoryAvailable"]))
                );

            using (var groups = token.GetChild("Groups"))
            {
                var groupsList = Dump.GetList(groups);

                foreach (var group in groupsList)
                {
                    var split = group.Split(';');

                    _tokenProps.DumpAddGroup(split[0], (SidAttributes)Dump.ParseInt32(split[1]));
                }
            }

            using (var privileges = token.GetChild("Privileges"))
            {
                var privilegesList = Dump.GetList(privileges);

                foreach (var privilege in privilegesList)
                {
                    var split = privilege.Split(';');

                    _tokenProps.DumpAddPrivilege(
                        split[0],
                        split[1],
                        (SePrivilegeAttributes)Dump.ParseInt32(split[2])
                        );
                }
            }

            token.Dispose();
        }