public static string GetProcessUser(IntPtr hProcess, RunningProcess pre)
{
int MAX_INTPTR_BYTE_ARR_SIZE = 512;
IntPtr tokenHandle;
byte[] sidBytes;
try
{
winaudits.AdjustPrevilege.AddDebugPrevilege();
// Get the Process Token
if (!OpenProcessToken(hProcess, TOKEN_READ, out tokenHandle))
{
return(null);
}
uint tokenInfoLength = 0;
bool result;
result = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenUser, IntPtr.Zero, tokenInfoLength, out tokenInfoLength);
// get the token info length
IntPtr tokenInfo = Marshal.AllocHGlobal((int)tokenInfoLength);
result = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenUser, tokenInfo, tokenInfoLength, out tokenInfoLength); // get the token info
// Get the User SID
if (result)
{
TOKEN_USER tokenUser = (TOKEN_USER)Marshal.PtrToStructure(tokenInfo, typeof(TOKEN_USER));
sidBytes = new byte[MAX_INTPTR_BYTE_ARR_SIZE]; // Since I don't yet know how to be more precise w/ the size of the byte arr, it is being set to 512
Marshal.Copy(tokenUser.User.Sid, sidBytes, 0, MAX_INTPTR_BYTE_ARR_SIZE); // get a byte[] representation of the SID
var sid = new SecurityIdentifier(sidBytes, 0);
if (sid != null)
{
pre.SID = sid.ToString();
if (sid.IsAccountSid() == true)
{
pre.SIDType = "Account SID";
}
else
{
pre.SIDType = "WellKnown";
}
}
return(GetUserNameFromSID(sidBytes));
}
}
catch (Exception)
{
return(null);
}
return(null);
}
private static string GetProcessParametersString(int processId, PEB_OFFSET Offset, RunningProcess pre)
{
IntPtr handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, processId);
if (handle == IntPtr.Zero)
{
return(null);
}
///////////////////// Get the username associated with the process ///////////////////
string username = LookupAccountName.GetProcessUser(handle, pre);
if (username != null)
{
pre.UserName = username;
}
/////////////////////////////////////////////////////////////////////////////////////
/////////////////// Get Working Set Counters ///////////////////////////////////////
PROCESS_MEMORY_COUNTERS memoryCounters;
memoryCounters.cb = (uint)Marshal.SizeOf(typeof(PROCESS_MEMORY_COUNTERS));
if (GetProcessMemoryInfo(handle, out memoryCounters, memoryCounters.cb))
{
pre.WorkingSet = (int)memoryCounters.WorkingSetSize;
//pre.workingsetstr = pre.workingset.ToString("#,##0") + " " + "Bytes";
}
////////////////////////////////////////////////////////////////////////////////////
FILETIME lpCreationTime = new FILETIME();
FILETIME lpUserTime = new FILETIME();
FILETIME lpKernelTime = new FILETIME();
FILETIME lpExitTime = new FILETIME();
bool retval = GetProcessTimes(handle, out lpCreationTime, out lpExitTime, out lpKernelTime, out lpUserTime);
if (retval == true)
{
string sc = ConvertTimeToString(lpCreationTime.DateTimeHigh, lpCreationTime.DateTimeLow, true);
pre.StartTime = DateTime.Parse(sc);
string kr = ConvertTimeToString(lpKernelTime.DateTimeHigh, lpKernelTime.DateTimeLow, false);
pre.KernalTime = kr;
string ut = ConvertTimeToString(lpUserTime.DateTimeHigh, lpUserTime.DateTimeLow, false);
pre.UserTime = ut;
}
bool IsWow64Process = PlatformCheck.InternalCheckIsWow64();
bool IsTargetWow64Process = PlatformCheck.GetProcessIsWow64(handle);
bool IsTarget64BitProcess = Is64BitOperatingSystem && !IsTargetWow64Process;
pre.IsWow64 = IsTargetWow64Process;
long offset = 0;
long processParametersOffset = IsTarget64BitProcess ? 0x20 : 0x10;
long offsetldr = 0x0c;
switch (Offset)
{
case PEB_OFFSET.CurrentDirectory:
offset = IsTarget64BitProcess ? 0x38 : 0x24;
break;
case PEB_OFFSET.CommandLine:
offset = Is64BitOperatingSystem ? 0x70 : 0x40;
if (offset == 0x70 && IsTargetWow64Process)
{
offset = 0x40;
}
break;
default:
return(null);
}
try
{
long pebAddress = 0;
if (IsTargetWow64Process) // OS : 64Bit, Cur : 32 or 64, Tar: 32bit
{
IntPtr peb32 = new IntPtr();
int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessWow64Information, ref peb32, IntPtr.Size, IntPtr.Zero);
if (hr != 0)
{
return(null);
}
pebAddress = peb32.ToInt64();
IntPtr pp = new IntPtr();
if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero))
{
return(null);
}
UNICODE_STRING_32 us = new UNICODE_STRING_32();
if (!ReadProcessMemory(handle, new IntPtr(pp.ToInt64() + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero))
{
return(null);
}
if ((us.Buffer == 0) || (us.Length == 0))
{
return(null);
}
string s = new string('\0', us.Length / 2);
if (!ReadProcessMemory(handle, new IntPtr(us.Buffer), s, new IntPtr(us.Length), IntPtr.Zero))
{
return(null);
}
UNICODE_STRING_32 us2 = new UNICODE_STRING_32();
if (!ReadProcessMemory(handle, new IntPtr(pp.ToInt64() + offset - 8), ref us2, new IntPtr(Marshal.SizeOf(us2)), IntPtr.Zero))
{
return(null);
}
if ((us2.Buffer == 0) || (us2.Length == 0))
{
return(null);
}
string s2 = new string('\0', us2.Length / 2);
if (!ReadProcessMemory(handle, new IntPtr(us2.Buffer), s2, new IntPtr(us2.Length), IntPtr.Zero))
{
return(null);
}
pre.Arguments = s;
pre.Path = s2;
//////////// Read Loader ////////
PEB_LDR_DATA ldr1 = new PEB_LDR_DATA();
IntPtr ldrp = StructToPtr(ldr1);
if (!ReadProcessMemory(handle, new IntPtr(pebAddress + 0x0c), ref ldrp, new IntPtr(Marshal.SizeOf(ldr1)), IntPtr.Zero))
{
return(null);
}
/// We have
long ldraddress = ldrp.ToInt64();
IntPtr le1 = new IntPtr(ldraddress + 0x0c);
if (!ReadProcessMemory(handle, new IntPtr(ldraddress + 0xc), ref le1, new IntPtr(Marshal.SizeOf(le1)), IntPtr.Zero))
{
return(null);
}
while (le1 != null)
{
UNICODE_STRING_32 us3 = new UNICODE_STRING_32();
if (!ReadProcessMemory(handle, new IntPtr(le1.ToInt64() + 0x24), ref us3, new IntPtr(Marshal.SizeOf(us3)), IntPtr.Zero))
{
return(null);
}
if ((us3.Buffer == 0) || (us3.Length == 0))
{
return(null);
}
string s3 = new string('\0', us3.Length / 2);
if (!ReadProcessMemory(handle, new IntPtr(us3.Buffer), s3, new IntPtr(us3.Length), IntPtr.Zero))
{
return(null);
}
long nextlist = le1.ToInt64();
IntPtr nextlistp = new IntPtr(nextlist);
if (!ReadProcessMemory(handle, nextlistp, ref le1, new IntPtr(Marshal.SizeOf(le1)), IntPtr.Zero))
{
return(null);
}
LoadedModule pme = new LoadedModule();
pme.ModulePath = s3;
pre.ListProcessModule.Add(pme);
}
return(s);
}
else if (IsWow64Process)//Os : 64Bit, Cur 32, Tar 64
{
PROCESS_BASIC_INFORMATION_WOW64 pbi = new PROCESS_BASIC_INFORMATION_WOW64();
int hr = NtWow64QueryInformationProcess64(handle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero);
if (hr != 0)
{
return(null);
}
pebAddress = pbi.PebBaseAddress;
long pp = 0;
hr = NtWow64ReadVirtualMemory64(handle, pebAddress + processParametersOffset, ref pp, Marshal.SizeOf(pp), IntPtr.Zero);
if (hr != 0)
{
return(null);
}
UNICODE_STRING_WOW64 us = new UNICODE_STRING_WOW64();
hr = NtWow64ReadVirtualMemory64(handle, pp + offset, ref us, Marshal.SizeOf(us), IntPtr.Zero);
if (hr != 0)
{
return(null);
}
if ((us.Buffer == 0) || (us.Length == 0))
{
return(null);
}
string s = new string('\0', us.Length / 2);
hr = NtWow64ReadVirtualMemory64(handle, us.Buffer, s, us.Length, IntPtr.Zero);
if (hr != 0)
{
return(null);
}
if (pre != null)
{
pre.Arguments = s;
}
UNICODE_STRING_WOW64 us2 = new UNICODE_STRING_WOW64();
hr = NtWow64ReadVirtualMemory64(handle, pp + offset - Marshal.SizeOf(us2), ref us2, Marshal.SizeOf(us2), IntPtr.Zero);
if (hr != 0)
{
return(null);
}
if ((us2.Buffer == 0) || (us2.Length == 0))
{
return(null);
}
string s2 = new string('\0', us2.Length / 2);
hr = NtWow64ReadVirtualMemory64(handle, us2.Buffer, s2, us2.Length, IntPtr.Zero);
if (hr != 0)
{
return(null);
}
// Console.WriteLine("IM : " + s2);
pre.Path = s2;
/////////////////////For Testing
if (s2 != null && ((s2.ToLower().Contains("taskmgr.exe") == false)))
{
//return s2;
}
//////////// Read Loader ////////
long ldrp = 0;
if (NtWow64ReadVirtualMemory64(handle, pebAddress + 0x18, ref ldrp, sizeof(long), IntPtr.Zero) != 0)
{
return(null);
}
/// We have
long ldraddress = ldrp + 0x10;
long le1 = 0;
if (NtWow64ReadVirtualMemory64(handle, ldraddress, ref le1, sizeof(long), IntPtr.Zero) != 0)
{
return(null);
}
while (le1 != 0)
{
UNICODE_STRING_WOW64 us3 = new UNICODE_STRING_WOW64();
hr = NtWow64ReadVirtualMemory64(handle, le1 + 0x48, ref us3, Marshal.SizeOf(us3), IntPtr.Zero);
if (hr != 0)
{
return(null);
}
if ((us3.Buffer == 0) || (us3.Length == 0))
{
return(null);
}
string s3 = new string('\0', us3.Length / 2);
hr = NtWow64ReadVirtualMemory64(handle, us3.Buffer, s3, us3.Length, IntPtr.Zero);
if (hr != 0)
{
return(null);
}
long nextlist = le1;
hr = NtWow64ReadVirtualMemory64(handle, nextlist, ref le1, sizeof(long), IntPtr.Zero);
if (hr != 0)
{
return(null);
}
LoadedModule pme = new LoadedModule();
pme.ModulePath = s3;
pre.ListProcessModule.Add(pme);
}
return(s);
}
else// Os,Cur,Tar : 64 or 32
{
PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero);
if (hr != 0)
{
return(null);
}
pebAddress = pbi.PebBaseAddress.ToInt64();
IntPtr pp = new IntPtr();
if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero))
{
return(null);
}
UNICODE_STRING us = new UNICODE_STRING();
if (!ReadProcessMemory(handle, new IntPtr((long)pp + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero))
{
return(null);
}
if ((us.Buffer == IntPtr.Zero) || (us.Length == 0))
{
return(null);
}
string s = new string('\0', us.Length / 2);
if (!ReadProcessMemory(handle, us.Buffer, s, new IntPtr(us.Length), IntPtr.Zero))
{
return(null);
}
UNICODE_STRING us2 = new UNICODE_STRING();
if (!ReadProcessMemory(handle, new IntPtr((long)pp + offset - Marshal.SizeOf(us2)), ref us2, new IntPtr(Marshal.SizeOf(us2)), IntPtr.Zero))
{
return(null);
}
if ((us2.Buffer == IntPtr.Zero) || (us2.Length == 0))
{
return(null);
}
string s2 = new string('\0', us2.Length / 2);
if (!ReadProcessMemory(handle, us2.Buffer, s2, new IntPtr(us2.Length), IntPtr.Zero))
{
return(null);
}
pre.Path = s2;
pre.Arguments = s;
//////////// Read Loader ////////
PEB_LDR_DATA ldr1 = new PEB_LDR_DATA();
IntPtr ldrp = StructToPtr(ldr1);
if (!ReadProcessMemory(handle, new IntPtr(pebAddress + 0x0c), ref ldrp, new IntPtr(Marshal.SizeOf(ldr1)), IntPtr.Zero))
{
return(null);
}
/// We have
long ldraddress = ldrp.ToInt64();
IntPtr le1 = new IntPtr(ldraddress + 0x0c);
if (!ReadProcessMemory(handle, new IntPtr(ldraddress + 0xc), ref le1, new IntPtr(Marshal.SizeOf(le1)), IntPtr.Zero))
{
return(null);
}
while (le1 != null)
{
UNICODE_STRING_32 us3 = new UNICODE_STRING_32();
if (!ReadProcessMemory(handle, new IntPtr(le1.ToInt64() + 0x24), ref us3, new IntPtr(Marshal.SizeOf(us3)), IntPtr.Zero))
{
return(null);
}
if ((us3.Buffer == 0) || (us3.Length == 0))
{
return(null);
}
string s3 = new string('\0', us3.Length / 2);
if (!ReadProcessMemory(handle, new IntPtr(us3.Buffer), s3, new IntPtr(us3.Length), IntPtr.Zero))
{
return(null);
}
long nextlist = le1.ToInt64();
IntPtr nextlistp = new IntPtr(nextlist);
if (!ReadProcessMemory(handle, nextlistp, ref le1, new IntPtr(Marshal.SizeOf(le1)), IntPtr.Zero))
{
return(null);
}
LoadedModule pme = new LoadedModule();
pme.ModulePath = s3;
pre.ListProcessModule.Add(pme);
}
return(s);
}
}
finally
{
CloseHandle(handle);
}
}
public static List <RunningProcess> StartAudit()
{
IntPtr handleToSnapshot = IntPtr.Zero;
List <RunningProcess> prelem = new List <RunningProcess>();
Dictionary <string, Forensics.CryptInfo> lstCertInfo = new Dictionary <string, Forensics.CryptInfo>();
try
{
PROCESSENTRY32 procEntry = new PROCESSENTRY32();
procEntry.dwSize = (UInt32)Marshal.SizeOf(typeof(PROCESSENTRY32));
handleToSnapshot = CreateToolhelp32Snapshot((uint)SnapshotFlags.Process, 0);
if (Process32First(handleToSnapshot, ref procEntry))
{
do
{
RunningProcess pre = new RunningProcess();
pre.ListProcessModule = new List <LoadedModule>();
pre.PID = procEntry.th32ProcessID;
pre.ProcessName = procEntry.szExeFile;
pre.PPID = procEntry.th32ParentProcessID;
pre.ParentName = GetMainModuleFilepath((int)pre.PPID);
string s1 = winaudits.ProcessList.GetProcessParametersString((int)procEntry.th32ProcessID,
PEB_OFFSET.CommandLine, pre);
if (!string.IsNullOrEmpty(pre.Path))
{
Forensics.CryptInfo ci;
if (lstCertInfo.ContainsKey(pre.Path))
{
ci = lstCertInfo[pre.Path];
}
else
{
ci = Forensics.SigVerify.CheckSignatureForFile(pre.Path);
ci.MD5 = Forensics.ProxyMD5.ComputeFileMD5(pre.Path);
lstCertInfo.Add(pre.Path, ci);
}
pre.MD5 = ci.MD5;
pre.IsSigned = ci.IsSigned;
pre.IsVerified = ci.IsVerified;
pre.CertSubject = ci.Subject;
pre.CA = ci.CA;
pre.SignatureString = ci.Signature;
}
foreach (var modu in pre.ListProcessModule)
{
modu.ProcessId = (int)pre.PID;
if (!string.IsNullOrEmpty(modu.ModulePath))
{
modu.ModuleName = Path.GetFileName(modu.ModulePath);
}
Forensics.CryptInfo ci;
if (lstCertInfo.ContainsKey(modu.ModulePath))
{
ci = lstCertInfo[modu.ModulePath];
}
else
{
ci = Forensics.SigVerify.CheckSignatureForFile(modu.ModulePath);
ci.MD5 = Forensics.ProxyMD5.ComputeFileMD5(modu.ModulePath);
lstCertInfo.Add(modu.ModulePath, ci);
}
modu.MD5 = ci.MD5;
modu.IsSigned = ci.IsSigned;
modu.IsVerified = ci.IsVerified;
modu.CertSubject = ci.Subject;
modu.CA = ci.CA;
modu.SignatureString = ci.Signature;
}
prelem.Add(pre);
} while (Process32Next(handleToSnapshot, ref procEntry));
}
}
catch (Exception)
{
return(prelem);
}
finally
{
// Must clean up the snapshot object!
CloseHandle(handleToSnapshot);
}
return(prelem);
}
