Exemplos de Win32Helper.SYSTEM_PROCESS_INFORMATION em C# (CSharp)

Linguagem de programação: C# (CSharp)

Classe / Tipo: Win32Helper.SYSTEM_PROCESS_INFORMATION

Exemplos em hotexamples.com: 2

Win32Helper.SYSTEM_PROCESS_INFORMATION em C# (CSharp) - 2 exemplos encontrados. Esses são os exemplos do mundo real mais bem avaliados de Win32Helper.SYSTEM_PROCESS_INFORMATION em C# (CSharp) extraídos de projetos de código aberto. Você pode avaliar os exemplos para nos ajudar a melhorar a qualidade deles.

Relacionados

index_size_info

WS_ClassRow

AdGroupOperation

HMDAPreapprovalTypes

BOM

MemberIdentityUser

ExtendedTimeParser

GameEventListenerString

IFieldViewProvider

AggregateRequestsExpression

Related in langs

NLLists (PHP)

ProjectStatusFolder (PHP)

insertSyncAction (C++)

getVocabulary (C++)

Delete (Go)

HasUnrecognized (Go)

TestConfiguration (Java)

DebtModel (Java)

SciOCR (Python)

dilated_convolution_2d (Python)

Exemplo n.º 1

0

Exibir arquivo

Arquivo: HeuristicsUserModeHelper.cs Projeto: radtek/codeword

///////////////////////////////////////////////////// // // // IsProcessPidInZwqUMList() // // // ///////////////////////////////////////////////////// //Description: Determines whether or not the given pid // exists in the process list obtained from // the ZwQuerySystemInformation() in user mode. // //Returns: true if it was found in the list ///////////////////////////////////////////////////// internal static bool IsProcessPidInZwqUMList(uint pid) { Win32Helper.SYSTEM_PROCESS_INFORMATION[] umProcListZwq = new Win32Helper.SYSTEM_PROCESS_INFORMATION[0]; try { umProcListZwq = Win32Helper.GetActiveProcessList(); } catch (Exception ex) { AgentScanLog.AppendLine("SCAN: Failed to get process list using ZwQuerySystemInformation from user mode: " + ex.Message); return(true); } foreach (Win32Helper.SYSTEM_PROCESS_INFORMATION process in umProcListZwq) { if (pid == process.UniqueProcessId) { return(true); } } return(false); }

Exemplo n.º 2

0

Exibir arquivo

Arquivo: HeuristicsUserModeHelper.cs Projeto: radtek/codeword

///////////////////////////////////////////////////// // // // CrossViewAnalysisWithTrustedProcessList() // // // ///////////////////////////////////////////////////// //Description: This cross-view analysis approach uses // a "trusted list" it obtains from PspCidTable // and diffs that across the 3 user mode // methods. // //Returns: an array of CWPROCESS_RECORD structs ///////////////////////////////////////////////////// /*internal static CwStructures.CWPROCESS_RECORD[] CrossViewAnalysisWithTrustedProcessList() * { * // * // * // TODO: THIS FUNCTION IS INCOMPLETE! * // * // * // * * //1. GET TRUSTED PROCESS LIST * // * //we will get a listing of processes from kernel mode using the PspCidTable * uint[] trustedPidList = new uint[256]; * * try * { * trustedPidList = HeuristicsUserModeHelper.GetKernelModeProcessListingPspCidTable(); * } * catch (Exception ex) * { * AgentHeuristicMatches.UserModeMatches.ProcessListing = new CwStructures.CWPROCESS_RECORD[0]; * AgentScanLog.AppendLine("Failed to get trusted process listing using PspCidTable: " + ex.Message); * return false; * } * * //build a CWPROCESS_RECORD array for storing hidden processes * CwStructures.CWPROCESS_RECORD[] hiddenProcesses = new CwStructures.CWPROCESS_RECORD[trustedPidList.Length]; * * //take the "trusted" listing and create a process entry for each process * //we will shortly enumerate processes from user mode in 3 ways and then fill * //the boolean field of each process in this structure * for (int i = 0; i < trustedPidList.Length; i++) * { * hiddenProcesses[i] = new CwStructures.CWPROCESS_RECORD(); * hiddenProcesses[i].pid = trustedPidList[i]; * hiddenProcesses[i].IsInUserModePsapiList = false; * hiddenProcesses[i].IsInUserModeToolhelp32List = false; * hiddenProcesses[i].IsInUserModeZwqList = false; * } * }*/ ///////////////////////////////////////////////////// // // // CrossViewAnalysis() // // // ///////////////////////////////////////////////////// //Description: This cross-view analysis approach creates // four different process listings using // various process enumeration methods and then // diffs all those lists to see if there are // any discrepancies. // //Returns: an array of CWPROCESS_RECORD structs ///////////////////////////////////////////////////// internal static CwStructures.CWPROCESS_RECORD[] CrossViewAnalysis() { //************************************* //Cross-view analysis //************************************* //user mode enumeration methods: // (1)PSAPI // (2)Toolhelp32 // (3)ZwQuerySystemInformation // //kernel mode enumeration methods: // (1)PspCidTable (TODO) // (2)ZwQuerySystemInformation // //************************************* // GET DATA POINTS //************************************* //1. PSAPI Process[] PsapiList = Process.GetProcesses(); // //2. TOOLHELP32 ArrayList Toolhelp32List = HeuristicsUserModeHelper.GetUserModeProcessListingToolHelp32(); //3. ZWQUERYSYSTEMINFORMATION (KERNEL MODE) CwStructures.PROCESS_LISTING_ZWQ ZwQueryKmList = new CwStructures.PROCESS_LISTING_ZWQ(); try { ZwQueryKmList = HeuristicsUserModeHelper.GetKernelModeProcessListingZwq(); } catch (Exception ex) { AgentScanLog.AppendLine("SCAN: Failed to get process list using ZwQuerySystemInformation() from kernel mode: " + ex.Message); } //4. ZWQUERYSYSTEMINFORMATION (USER MODE) Win32Helper.SYSTEM_PROCESS_INFORMATION[] ZwQueryUmList = new Win32Helper.SYSTEM_PROCESS_INFORMATION[0]; try { ZwQueryUmList = Win32Helper.GetActiveProcessList(); } catch (Exception ex) { AgentScanLog.AppendLine("SCAN: Failed to get process list using ZwQuerySystemInformation from user mode: " + ex.Message); } //prepare return structure - initialize our list of processes to the obvious ones //in the psapi library (using .NET's Process class) ArrayList hiddenProcesses = new ArrayList(); foreach (Process p in Process.GetProcesses()) { string pname = ""; try { pname = p.MainModule.ModuleName; } catch (Exception) { } AddPidToList(ref hiddenProcesses, (uint)p.Id, GetPsapiParentProcessId(p.ProcessName), pname, ""); } //************************************* // DIFF EACH LIST AGAINST ALL LISTS //************************************* // //1. PSAPI foreach (Process p in PsapiList) { if (p.Id == 0) { continue; } string pname = ""; try { pname = p.MainModule.ModuleName; } catch (Exception) { } if (Toolhelp32List != null) { if (!HeuristicsUserModeHelper.IsProcessPidInToolhelp32List((uint)p.Id)) { AddPidToList(ref hiddenProcesses, (uint)p.Id, GetPsapiParentProcessId(p.ProcessName), pname, "Toolhelp32"); } } if (ZwQueryKmList.numProcesses > 0) { if (!HeuristicsUserModeHelper.IsProcessPidInZwqKMList((uint)p.Id)) { AddPidToList(ref hiddenProcesses, (uint)p.Id, GetPsapiParentProcessId(p.ProcessName), pname, "ZwQueryUM"); } } if (ZwQueryUmList.Length > GetPsapiParentProcessId(p.ProcessName)) { if (!HeuristicsUserModeHelper.IsProcessPidInZwqUMList((uint)p.Id)) { AddPidToList(ref hiddenProcesses, (uint)p.Id, GetPsapiParentProcessId(p.ProcessName), pname, "ZwQueryKM"); } } } //2. Toolhelp32 if (Toolhelp32List != null) { foreach (Win32Helper.PROCESSENTRY32 process in (Win32Helper.PROCESSENTRY32[])Toolhelp32List.ToArray(typeof(Win32Helper.PROCESSENTRY32))) { if (process.th32ProcessID == 0) { continue; } if (PsapiList != null) { if (!HeuristicsUserModeHelper.IsProcessPidInPsapiList(process.th32ProcessID)) { AddPidToList(ref hiddenProcesses, process.th32ProcessID, process.th32ParentProcessID, process.szExeFile, "Psapi"); } } if (ZwQueryKmList.numProcesses > 0) { if (!HeuristicsUserModeHelper.IsProcessPidInZwqKMList(process.th32ProcessID)) { AddPidToList(ref hiddenProcesses, process.th32ProcessID, process.th32ParentProcessID, process.szExeFile, "ZwQueryUM"); } } if (ZwQueryUmList.Length > 0) { if (!HeuristicsUserModeHelper.IsProcessPidInZwqUMList(process.th32ProcessID)) { AddPidToList(ref hiddenProcesses, process.th32ProcessID, process.th32ParentProcessID, process.szExeFile, "ZwQueryKM"); } } } } //3. ZwQuerySystemInformation USER MODE if (ZwQueryUmList != null) { foreach (Win32Helper.SYSTEM_PROCESS_INFORMATION process in ZwQueryUmList) { if (process.UniqueProcessId == 0) { continue; } if (PsapiList != null) { if (!HeuristicsUserModeHelper.IsProcessPidInPsapiList(process.UniqueProcessId)) { AddPidToList(ref hiddenProcesses, process.UniqueProcessId, process.InheritedFromUniqueProcessId, process.ImageName.Buffer, "Psapi"); } } if (Toolhelp32List != null) { if (!HeuristicsUserModeHelper.IsProcessPidInToolhelp32List(process.UniqueProcessId)) { AddPidToList(ref hiddenProcesses, process.UniqueProcessId, process.InheritedFromUniqueProcessId, process.ImageName.Buffer, "Toolhelp32"); } } if (ZwQueryKmList.numProcesses > 0) { if (!HeuristicsUserModeHelper.IsProcessPidInZwqKMList(process.UniqueProcessId)) { AddPidToList(ref hiddenProcesses, process.UniqueProcessId, process.InheritedFromUniqueProcessId, process.ImageName.Buffer, "ZwQueryKM"); } } } } //4. ZwQuerySystemInformation KERNEL MODE if (ZwQueryKmList.numProcesses > 0) { for (int i = 0; i < ZwQueryKmList.numProcesses; i++) { CwStructures.CW_PROCESS_ENTRY process = ZwQueryKmList.ProcessList[i]; if (process.UniqueProcessId == 0) { continue; } if (PsapiList != null) { if (!HeuristicsUserModeHelper.IsProcessPidInPsapiList(process.UniqueProcessId)) { AddPidToList(ref hiddenProcesses, process.UniqueProcessId, process.InheritedFromUniqueProcessId, process.ImageName, "Psapi"); } } if (Toolhelp32List != null) { if (!HeuristicsUserModeHelper.IsProcessPidInToolhelp32List(process.UniqueProcessId)) { AddPidToList(ref hiddenProcesses, process.UniqueProcessId, process.InheritedFromUniqueProcessId, process.ImageName, "Toolhelp32"); } } if (ZwQueryUmList != null && ZwQueryUmList.Length > 0) { if (!HeuristicsUserModeHelper.IsProcessPidInZwqUMList(process.UniqueProcessId)) { AddPidToList(ref hiddenProcesses, process.UniqueProcessId, process.InheritedFromUniqueProcessId, process.ImageName, "ZwQueryUM"); } } } } return((CwStructures.CWPROCESS_RECORD[])hiddenProcesses.ToArray(typeof(CwStructures.CWPROCESS_RECORD))); }