private void provider_DictionaryAdded(ModuleItem item)
{
HighlightedListViewItem litem = new HighlightedListViewItem(_highlightingContext, item.RunId > 0 && _runCount > 0)
{
Name = item.BaseAddress.ToString(),
Text = item.Name
};
litem.SubItems.Add(new ListViewItem.ListViewSubItem(litem, Utils.FormatAddress(item.BaseAddress)));
litem.SubItems.Add(new ListViewItem.ListViewSubItem(litem, Utils.FormatSize(item.Size)));
litem.SubItems.Add(new ListViewItem.ListViewSubItem(litem, item.FileDescription));
litem.ToolTipText = PhUtils.FormatFileInfo(item.FileName, item.FileDescription, item.FileCompanyName, item.FileVersion, 0);
litem.Tag = item;
litem.NormalColor = this.GetModuleColor(item);
if (item.FileName.Equals(_mainModule, StringComparison.OrdinalIgnoreCase))
{
litem.Font = new Font(litem.Font, FontStyle.Bold);
}
lock (_needsAdd)
_needsAdd.Add(litem);
}
public string GetToolTip(ProcessNode pNode)
{
try
{
string cmdText = (!string.IsNullOrEmpty(pNode.ProcessItem.CmdLine) ?
(Utils.CreateEllipsis(pNode.ProcessItem.CmdLine.Replace("\0", string.Empty), 100) + "\n") : string.Empty);
string fileText = string.Empty;
try
{
if (pNode.ProcessItem.VersionInfo != null)
{
var info = pNode.ProcessItem.VersionInfo;
fileText = "File:\n" + PhUtils.FormatFileInfo(info.FileName, info.FileDescription, info.CompanyName, info.FileVersion, 4);
}
}
catch
{
if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName))
{
fileText = "File:\n " + pNode.ProcessItem.FileName;
}
}
string runDllText = string.Empty;
if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) &&
pNode.ProcessItem.FileName.EndsWith("\\rundll32.exe",
StringComparison.InvariantCultureIgnoreCase) &&
!string.IsNullOrEmpty(pNode.ProcessItem.CmdLine))
{
try
{
// TODO: fix crappy method
string targetFile = pNode.ProcessItem.CmdLine.Split(new char[] { ' ' }, 2)[1].Split(',')[0];
// if it doesn't specify an absolute path, assume it's in system32.
if (!targetFile.Contains(":", StringComparison.OrdinalIgnoreCase))
{
targetFile = Environment.SystemDirectory + "\\" + targetFile;
}
FileVersionInfo info = FileVersionInfo.GetVersionInfo(targetFile);
runDllText = "\nRunDLL target:\n " + info.FileName + "\n " +
info.FileDescription + " " + info.FileVersion + "\n " +
info.CompanyName;
}
catch (Exception ex)
{
Logging.Log(ex);
}
}
string dllhostText = string.Empty;
if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) &&
pNode.ProcessItem.FileName.EndsWith("\\dllhost.exe", StringComparison.InvariantCultureIgnoreCase) &&
!string.IsNullOrEmpty(pNode.ProcessItem.CmdLine))
{
try
{
string clsid = pNode.ProcessItem.CmdLine.ToLowerInvariant().Split(new[]
{
"/processid:"
}, StringSplitOptions.None)[1].Split(' ')[0];
using (RegistryKey key = Registry.ClassesRoot.OpenSubKey("CLSID\\" + clsid))
using (RegistryKey inprocServer32 = key.OpenSubKey("InprocServer32"))
{
string name = key.GetValue(string.Empty) as string;
string fileName = inprocServer32.GetValue(string.Empty) as string;
FileVersionInfo info = FileVersionInfo.GetVersionInfo(Environment.ExpandEnvironmentVariables(fileName));
dllhostText = "\nCOM Target:\n " + name + " (" + clsid.ToUpper() + ")\n " +
info.FileName + "\n " +
info.FileDescription + " " + info.FileVersion + "\n " + info.CompanyName;
}
}
catch (Exception ex)
{
Logging.Log(ex);
}
}
string servicesText = string.Empty;
try
{
IDictionary <int, List <string> > processServices;
IDictionary <string, ServiceItem> services;
if (!_tree.DumpMode)
{
processServices = Program.HackerWindow.ProcessServices;
services = Program.ServiceProvider.Dictionary;
}
else
{
processServices = _tree.DumpProcessServices;
services = _tree.DumpServices;
}
if (processServices.ContainsKey(pNode.Pid))
{
foreach (string service in processServices[pNode.Pid])
{
if (services.ContainsKey(service))
{
if (string.IsNullOrEmpty(services[service].Status.DisplayName))
{
servicesText += " " + service + " (" + services[service].Status.DisplayName + ")\n";
}
else
{
servicesText += " " + service + "\n";
}
}
else
{
servicesText += " " + service + "\n";
}
}
servicesText = "\nServices:\n" + servicesText.TrimEnd('\n');
}
}
catch (Exception ex)
{
Logging.Log(ex);
}
string otherNotes = string.Empty;
try
{
if (pNode.ProcessItem.IsPacked && pNode.ProcessItem.ImportModules > 0)
{
otherNotes += "\n Image is probably packed - has " +
pNode.ProcessItem.ImportFunctions.ToString() + " imports over " +
pNode.ProcessItem.ImportModules.ToString() + " modules.";
}
else if (pNode.ProcessItem.IsPacked)
{
otherNotes += "\n Image is probably packed - error reading PE file.";
}
if (pNode.ProcessItem.FileName != null)
{
if (pNode.ProcessItem.VerifyResult == VerifyResult.Trusted)
{
if (!string.IsNullOrEmpty(pNode.ProcessItem.VerifySignerName))
{
otherNotes += "\n Signer: " + pNode.ProcessItem.VerifySignerName;
}
else
{
otherNotes += "\n Signed.";
}
}
else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown &&
!Settings.Instance.VerifySignatures)
{
otherNotes += string.Empty;
}
else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown &&
Settings.Instance.VerifySignatures && !_tree.DumpMode)
{
otherNotes += "\n File has not been processed yet. Please wait...";
}
else if (pNode.ProcessItem.VerifyResult != VerifyResult.NoSignature)
{
otherNotes += "\n Signature invalid.";
}
if (Program.ImposterNames.Contains(pNode.Name.ToLowerInvariant()) &&
pNode.ProcessItem.VerifyResult != VerifyResult.Trusted &&
pNode.ProcessItem.VerifyResult != VerifyResult.Unknown)
{
otherNotes += "\n Process is using the name of a known process but its signature could not be verified.";
}
}
if (pNode.ProcessItem.IsInJob)
{
otherNotes += "\n Process is in a job.";
}
if (pNode.ProcessItem.ElevationType == TokenElevationType.Full)
{
otherNotes += "\n Process is elevated.";
}
if (pNode.ProcessItem.IsDotNet)
{
otherNotes += "\n Process is managed (.NET).";
}
if (pNode.ProcessItem.IsPosix)
{
otherNotes += "\n Process is POSIX.";
}
if (pNode.ProcessItem.IsWow64)
{
otherNotes += "\n Process is 32-bit (running under WOW64).";
}
if (otherNotes != string.Empty)
{
otherNotes = "\nNotes:" + otherNotes;
}
}
catch (Exception ex)
{
Logging.Log(ex);
}
return((cmdText + fileText + otherNotes + runDllText + dllhostText + servicesText).Trim(' ', '\n', '\r'));
}
catch (Exception ex)
{
Logging.Log(ex);
}
return(string.Empty);
}