public SsLogger(int bufferedBlockCount, bool includeAll) { // Allocate a buffer. _buffer = new VirtualMemoryAlloc(_highBlockSize * bufferedBlockCount); // Create the read and write semaphores. // Read semaphore: no blocks initially, so 0 initial count. _readSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, 0, bufferedBlockCount); // Write semaphore: all buffer blocks available so max. initial count. _writeSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, bufferedBlockCount, bufferedBlockCount); // Create the client entry. //_clientEntryHandle = KProcessHacker.Instance.SsCreateClientEntry( // ProcessHandle.Current, // _readSemaphore, // _writeSemaphore, // _buffer, // _buffer.Size // ); // Create the ruleset entry. //_ruleSetEntryHandle = KProcessHacker.Instance.SsCreateRuleSetEntry( // _clientEntryHandle, // includeAll ? KphSsFilterType.Include : KphSsFilterType.Exclude, // KphSsRuleSetAction.Log // ); }
public SsLogger(int bufferedBlockCount, bool includeAll) { // Allocate a buffer. _buffer = new VirtualMemoryAlloc(_highBlockSize * bufferedBlockCount); // Create the read and write semaphores. // Read semaphore: no blocks initially, so 0 initial count. _readSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, 0, bufferedBlockCount); // Write semaphore: all buffer blocks available so max. initial count. _writeSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, bufferedBlockCount, bufferedBlockCount); // Create the client entry. _clientEntryHandle = KProcessHacker.Instance.SsCreateClientEntry( ProcessHandle.Current, _readSemaphore, _writeSemaphore, _buffer, _buffer.Size ); // Create the ruleset entry. _ruleSetEntryHandle = KProcessHacker.Instance.SsCreateRuleSetEntry( _clientEntryHandle, includeAll ? KphSsFilterType.Include : KphSsFilterType.Exclude, KphSsRuleSetAction.Log ); }
public SemaphoreProperties(SemaphoreHandle semaphoreHandle) { InitializeComponent(); _semaphoreHandle = semaphoreHandle; _semaphoreHandle.Reference(); this.UpdateInfo(); }
public KphSsClientEntryHandle SsCreateClientEntry( ProcessHandle processHandle, SemaphoreHandle readSemaphoreHandle, SemaphoreHandle writeSemaphoreHandle, IntPtr bufferBase, int bufferSize ) { byte *inData = stackalloc byte[0x14]; byte *outData = stackalloc byte[4]; *(int *)inData = processHandle; *(int *)(inData + 0x4) = readSemaphoreHandle; *(int *)(inData + 0x8) = writeSemaphoreHandle; *(int *)(inData + 0xc) = bufferBase.ToInt32(); *(int *)(inData + 0x10) = bufferSize; _fileHandle.IoControl(CtlCode(Control.SsCreateClientEntry), inData, 0x14, outData, 4); return(new KphSsClientEntryHandle((*(int *)outData).ToIntPtr())); }
public SsLogger(int bufferedBlockCount, bool includeAll) { _buffer = new VirtualMemoryAlloc(_highBlockSize * bufferedBlockCount); _readSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, 0, bufferedBlockCount); _writeSemaphore = SemaphoreHandle.Create(SemaphoreAccess.All, bufferedBlockCount, bufferedBlockCount); _clientEntryHandle = KProcessHacker.Instance.SsCreateClientEntry( ProcessHandle.Current, _readSemaphore, _writeSemaphore, _buffer, _buffer.Size ); _ruleSetEntryHandle = KProcessHacker.Instance.SsCreateRuleSetEntry( _clientEntryHandle, includeAll ? KphSsFilterType.Include : KphSsFilterType.Exclude, KphSsRuleSetAction.Log ); }
public static void ShowHandleProperties(SystemHandleEntry handleInfo) { try { IntPtr handle = new IntPtr(handleInfo.Handle); ProcessHandle phandle = new ProcessHandle(handleInfo.ProcessId, ProcessAccess.DupHandle); GenericHandle dupHandle = null; // Try to get a handle, since we need one for security editing. try { dupHandle = new GenericHandle(phandle, handle, 0); } catch { } PropSheetHeader64 header = new PropSheetHeader64 { dwSize = (uint)PropSheetHeader64.SizeOf, nPages = 2, dwFlags = (uint)PropSheetFlags.PSH_DEFAULT, pszCaption = "Handle Properties" }; using (HandleDetails hw = new HandleDetails()) { hw.ObjectHandle = handleInfo; hw.HandlePropertiesCallback += (control, name, typeName) => { switch (typeName.ToLowerInvariant()) { // Objects with separate property windows: case "file": case "job": case "key": case "token": case "process": { Button b = new Button { FlatStyle = FlatStyle.System, Text = "Properties" }; b.Click += (sender, e) => { try { switch (typeName.ToLowerInvariant()) { case "file": { FileUtils.ShowProperties(name); } break; case "job": { dupHandle = new GenericHandle(phandle, handle, (int)JobObjectAccess.Query); (new JobWindow(JobObjectHandle.FromHandle(dupHandle))).ShowDialog(); } break; case "key": { try { PhUtils.OpenKeyInRegedit(PhUtils.GetForegroundWindow(), name); } catch (Exception ex) { PhUtils.ShowException("Unable to open the Registry Editor", ex); } } break; case "token": { using (TokenWindow twindow = new TokenWindow(new RemoteTokenHandle(phandle, handle))) { twindow.ShowDialog(); } } break; case "process": { dupHandle = new GenericHandle(phandle, handle, (int)OSVersion.MinProcessQueryInfoAccess); int pid = ProcessHandle.FromHandle(dupHandle).ProcessId; Program.GetProcessWindow(Program.ProcessProvider.Dictionary[pid], Program.FocusWindow); } break; } } catch (Exception ex) { PhUtils.ShowException("Unable to show object properties", ex); } }; control.Controls.Add(b); } break; case "event": { dupHandle = new GenericHandle(phandle, handle, (int)EventAccess.QueryState); var eventProps = new EventProperties(EventHandle.FromHandle(dupHandle)); control.Controls.Add(eventProps); } break; case "eventpair": { dupHandle = new GenericHandle(phandle, handle, (int)EventPairAccess.All); var eventPairProps = new EventPairProperties(EventPairHandle.FromHandle(dupHandle)); control.Controls.Add(eventPairProps); } break; case "mutant": { dupHandle = new GenericHandle(phandle, handle, (int)MutantAccess.QueryState); var mutantProps = new MutantProperties(MutantHandle.FromHandle(dupHandle)); control.Controls.Add(mutantProps); } break; case "section": { dupHandle = new GenericHandle(phandle, handle, (int)SectionAccess.Query); var sectionProps = new SectionProperties(SectionHandle.FromHandle(dupHandle)); control.Controls.Add(sectionProps); } break; case "semaphore": { dupHandle = new GenericHandle(phandle, handle, (int)SemaphoreAccess.QueryState); var semaphoreProps = new SemaphoreProperties(SemaphoreHandle.FromHandle(dupHandle)); control.Controls.Add(semaphoreProps); } break; case "timer": { dupHandle = new GenericHandle(phandle, handle, (int)TimerAccess.QueryState); var timerProps = new TimerProperties(TimerHandle.FromHandle(dupHandle)); control.Controls.Add(timerProps); } break; case "tmrm": { dupHandle = new GenericHandle(phandle, handle, (int)ResourceManagerAccess.QueryInformation); var tmRmProps = new TmRmProperties(ResourceManagerHandle.FromHandle(dupHandle)); control.Controls.Add(tmRmProps); } break; case "tmtm": { dupHandle = new GenericHandle(phandle, handle, (int)TmAccess.QueryInformation); var tmTmProps = new TmTmProperties(TmHandle.FromHandle(dupHandle)); control.Controls.Add(tmTmProps); } break; } }; hw.Init(); IntPtr[] pages = new IntPtr[2]; pages[0] = hw.CreatePageHandle(); pages[1] = CreateSecurityPage(SecurityEditor.EditSecurity2( null, SecurityEditor.GetSecurableWrapper(dupHandle), hw._name, NativeTypeFactory.GetAccessEntries(NativeTypeFactory.GetObjectType(hw._typeName)) )); GCHandle gch = GCHandle.Alloc(pages, GCHandleType.Pinned); header.phpage = gch.AddrOfPinnedObject(); PropertySheetW(ref header); if (dupHandle != null) { dupHandle.Dispose(); } } } catch (Exception ex) { PhUtils.ShowException("Unable to show handle properties", ex); } }
public static void ShowHandleProperties(SystemHandleEntry handleInfo) { try { HandlePropertiesWindow window = new HandlePropertiesWindow(handleInfo); IntPtr handle = new IntPtr(handleInfo.Handle); ProcessHandle phandle = new ProcessHandle(handleInfo.ProcessId, ProcessAccess.DupHandle); GenericHandle dupHandle = null; window.HandlePropertiesCallback += (control, name, typeName) => { switch (typeName.ToLowerInvariant()) { // Objects with separate property windows: case "file": case "job": case "key": case "token": case "process": { Button b = new Button(); b.FlatStyle = FlatStyle.System; b.Text = "Properties"; b.Click += (sender, e) => { try { switch (typeName.ToLowerInvariant()) { case "file": { FileUtils.ShowProperties(name); } break; case "job": { dupHandle = new GenericHandle( phandle, handle, (int)JobObjectAccess.Query); (new JobWindow(JobObjectHandle.FromHandle(dupHandle))).ShowDialog(); } break; case "key": { try { PhUtils.OpenKeyInRegedit(PhUtils.GetForegroundWindow(), name); } catch (Exception ex) { PhUtils.ShowException("Unable to open the Registry Editor", ex); } } break; case "token": { (new TokenWindow(new RemoteTokenHandle(phandle, handle))).ShowDialog(); } break; case "process": { int pid; if (KProcessHacker.Instance != null) { pid = KProcessHacker.Instance.KphGetProcessId(phandle, handle); } else { dupHandle = new GenericHandle( phandle, handle, (int)OSVersion.MinProcessQueryInfoAccess); pid = ProcessHandle.FromHandle(dupHandle).GetProcessId(); } Program.GetProcessWindow(Program.ProcessProvider.Dictionary[pid], (f) => Program.FocusWindow(f)); } break; } } catch (Exception ex) { PhUtils.ShowException("Unable to show object properties", ex); } }; control.Controls.Add(b); } break; case "event": { dupHandle = new GenericHandle(phandle, handle, (int)EventAccess.QueryState); var eventProps = new EventProperties(EventHandle.FromHandle(dupHandle)); control.Controls.Add(eventProps); } break; case "eventpair": { dupHandle = new GenericHandle(phandle, handle, (int)EventPairAccess.All); var eventPairProps = new EventPairProperties(EventPairHandle.FromHandle(dupHandle)); control.Controls.Add(eventPairProps); } break; case "mutant": { dupHandle = new GenericHandle(phandle, handle, (int)MutantAccess.QueryState); var mutantProps = new MutantProperties(MutantHandle.FromHandle(dupHandle)); control.Controls.Add(mutantProps); } break; case "section": { dupHandle = new GenericHandle(phandle, handle, (int)SectionAccess.Query); var sectionProps = new SectionProperties(SectionHandle.FromHandle(dupHandle)); control.Controls.Add(sectionProps); } break; case "semaphore": { dupHandle = new GenericHandle(phandle, handle, (int)SemaphoreAccess.QueryState); var semaphoreProps = new SemaphoreProperties(SemaphoreHandle.FromHandle(dupHandle)); control.Controls.Add(semaphoreProps); } break; case "timer": { dupHandle = new GenericHandle(phandle, handle, (int)TimerAccess.QueryState); var timerProps = new TimerProperties(TimerHandle.FromHandle(dupHandle)); control.Controls.Add(timerProps); } break; case "tmrm": { dupHandle = new GenericHandle(phandle, handle, (int)ResourceManagerAccess.QueryInformation); var tmRmProps = new TmRmProperties(ResourceManagerHandle.FromHandle(dupHandle)); control.Controls.Add(tmRmProps); } break; case "tmtm": { dupHandle = new GenericHandle(phandle, handle, (int)TmAccess.QueryInformation); var tmTmProps = new TmTmProperties(TmHandle.FromHandle(dupHandle)); control.Controls.Add(tmTmProps); } break; } }; if (dupHandle == null) { // Try to get a handle, since we need one for security editing. try { dupHandle = new GenericHandle(phandle, handle, 0); } catch { } } window.ObjectHandle = dupHandle; window.ShowDialog(); if (dupHandle != null) { dupHandle.Dispose(); } } catch (Exception ex) { PhUtils.ShowException("Unable to show handle properties", ex); } }
public KphSsClientEntryHandle SsCreateClientEntry( ProcessHandle processHandle, SemaphoreHandle readSemaphoreHandle, SemaphoreHandle writeSemaphoreHandle, IntPtr bufferBase, int bufferSize ) { byte* inData = stackalloc byte[0x14]; byte* outData = stackalloc byte[4]; *(int*)inData = processHandle; *(int*)(inData + 0x4) = readSemaphoreHandle; *(int*)(inData + 0x8) = writeSemaphoreHandle; *(int*)(inData + 0xc) = bufferBase.ToInt32(); *(int*)(inData + 0x10) = bufferSize; _fileHandle.IoControl(CtlCode(Control.SsCreateClientEntry), inData, 0x14, outData, 4); return new KphSsClientEntryHandle((*(int*)outData).ToIntPtr()); }