private void wc_DownloadStringCompleted(object sender, DownloadStringCompletedEventArgs e)
{
buttonContinue.Enabled = true;
buttonQuit.Enabled = true;
if (e.Error != null || this.GetTitle(e.Result).Contains("ERROR", StringComparison.OrdinalIgnoreCase))
{
buttonSubmitReport.Enabled = true;
statusLinkLabel.Visible = false;
if (e.Error != null)
{
if (e.Error.InnerException != null)
{
PhUtils.ShowError("Unable to submit the error report: " + e.Error.InnerException.Message);
}
else
{
PhUtils.ShowError("Unable to submit the error report: " + e.Error.Message);
}
}
else
{
PhUtils.ShowError("Unable to submit the error report: " + this.GetTitle(e.Result));
}
}
else
{
statusLinkLabel.Enabled = true;
statusLinkLabel.Text = "View SourceForge error report";
_trackerItem = GetUrl(Regex.Replace(this.GetResult(e.Result), @"<(.|\n)*?>", string.Empty).Replace("&", "&"));
}
}
private void listImports_GroupLinkClicked(object sender, ProcessHacker.Components.LinkClickedEventArgs e)
{
string fileName;
this.Cursor = Cursors.WaitCursor;
try
{
fileName = FileUtils.FindFile(System.IO.Path.GetDirectoryName(_path), e.Group.Header);
if (!string.IsNullOrEmpty(fileName))
{
Program.GetPEWindow(fileName, Program.FocusWindow);
}
else
{
PhUtils.ShowError("Unable to find the DLL.");
}
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to inspect the DLL", ex);
}
finally
{
this.Cursor = Cursors.Default;
}
}
public static bool ShowProperties(IWin32Window window, int pid, string name)
{
ElevationAction result;
// If we're viewing System, don't prompt for elevation since we can view
// thread and module information without it.
if (pid != 4)
{
result = PromptForElevation(
window,
new int[] { pid },
new string[] { name },
Program.MinProcessQueryRights,
"restart Process Hacker elevated",
"show properties for"
);
}
else
{
result = ElevationAction.NotRequired;
}
if (result == ElevationAction.Elevate)
{
Program.StartProcessHackerAdmin("-v -ip " + pid.ToString(), () =>
{
Program.HackerWindow.Exit();
}, window.Handle);
return(false);
}
else if (result == ElevationAction.Cancel)
{
return(false);
}
if (Program.ProcessProvider.Dictionary.ContainsKey(pid))
{
try
{
ProcessWindow pForm = Program.GetProcessWindow(Program.ProcessProvider.Dictionary[pid],
new Program.PWindowInvokeAction(delegate(ProcessWindow f)
{
Program.FocusWindow(f);
}));
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to inspect the process", ex);
return(false);
}
}
else
{
PhUtils.ShowError("Unable to inspect the process because it does not exist.");
}
return(true);
}
private void SearchError(string message)
{
this.Invoke(new MethodInvoker(delegate
{
PhUtils.ShowError("Unable to search memory: " + message);
_searchThread = null;
Searcher_SearchFinished();
}));
}
private void SearchError(string message)
{
this.BeginInvoke(new MethodInvoker(() =>
{
PhUtils.ShowError("Unable to search memory: " + message);
this._searchThread = null;
this.Searcher_SearchFinished();
}));
}
private void textIconMenuProcesses_Leave(object sender, EventArgs e)
{
try
{
Settings.Instance.IconMenuProcessCount = Int32.Parse(textIconMenuProcesses.Value.ToString());
}
catch
{
PhUtils.ShowError("The entered value is not valid.");
textIconMenuProcesses.Select();
}
}
private void textUpdateInterval_Leave(object sender, EventArgs e)
{
try
{
Settings.Instance.RefreshInterval = Int32.Parse(textUpdateInterval.Value.ToString());
}
catch
{
PhUtils.ShowError("The entered value is not valid.");
textUpdateInterval.Select();
}
}
private void SetDepStatusKph()
{
DepStatus depStatus;
switch (this.comboStatus.SelectedItem.ToString())
{
case "Disabled":
depStatus = 0;
break;
case "Enabled":
depStatus = DepStatus.Enabled;
break;
case "Enabled, DEP-ATL thunk emulation disabled":
depStatus = DepStatus.Enabled | DepStatus.AtlThunkEmulationDisabled;
break;
default:
PhUtils.ShowError("Invalid value.");
return;
}
if (checkPermanent.Checked)
{
depStatus |= DepStatus.Permanent;
}
try
{
using (ProcessHandle phandle = new ProcessHandle(_pid, Program.MinProcessQueryRights))
phandle.DepStatus = depStatus;
this.DialogResult = DialogResult.OK;
this.Close();
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to set the DEP status", ex);
}
}
private void processPropertiesMenuItem_Click(object sender, EventArgs e)
{
string type = listHandles.SelectedItems[0].SubItems[1].Text;
int pid;
if (type == "DLL" || type == "Mapped File")
{
pid = (int)listHandles.SelectedItems[0].Tag;
}
else
{
pid = ((SystemHandleEntry)listHandles.SelectedItems[0].Tag).ProcessId;
}
if (Program.ProcessProvider.Dictionary.ContainsKey(pid))
{
ProcessActions.ShowProperties(this, pid, Program.ProcessProvider.Dictionary[pid].Name);
}
else
{
PhUtils.ShowError("The process does not exist.");
}
}
private void SetDepStatusNoKph()
{
if (comboStatus.SelectedItem.ToString().StartsWith("Enabled"))
{
if (!PhUtils.ShowConfirmMessage(
"set",
"the DEP status",
"Enabling DEP in a process is a permanent action.",
false))
{
return;
}
}
DepFlags flags = DepFlags.Enable;
if (comboStatus.SelectedItem.ToString() == "Disabled")
{
flags = DepFlags.Disable;
}
else if (comboStatus.SelectedItem.ToString() == "Enabled")
{
flags = DepFlags.Enable;
}
else if (comboStatus.SelectedItem.ToString() == "Enabled, DEP-ATL thunk emulation disabled")
{
flags = DepFlags.Enable | DepFlags.DisableAtlThunkEmulation;
}
else
{
PhUtils.ShowError("Invalid value.");
return;
}
try
{
IntPtr kernel32 = Win32.GetModuleHandle("kernel32.dll");
IntPtr setProcessDepPolicy = Win32.GetProcAddress(kernel32, "SetProcessDEPPolicy");
if (setProcessDepPolicy == IntPtr.Zero)
{
throw new Exception("This feature is not supported on your version of Windows.");
}
using (ProcessHandle phandle = new ProcessHandle(_pid,
Program.MinProcessQueryRights | ProcessAccess.VmOperation |
ProcessAccess.VmRead | ProcessAccess.CreateThread))
{
var thread = phandle.CreateThreadWin32(setProcessDepPolicy, new IntPtr((int)flags));
thread.Wait(1000 * Win32.TimeMsTo100Ns);
int exitCode = thread.GetExitCode();
if (exitCode == 0)
{
throw new Exception("Unspecified error.");
}
}
this.DialogResult = DialogResult.OK;
this.Close();
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to set the DEP status", ex);
}
}
private void readWriteAddressMemoryMenuItem_Click(object sender, EventArgs e)
{
PromptBox prompt = new PromptBox();
if (prompt.ShowDialog() == DialogResult.OK)
{
IntPtr address = new IntPtr(-1);
IntPtr regionAddress = IntPtr.Zero;
long regionSize = 0;
bool found = false;
try
{
address = ((long)BaseConverter.ToNumberParse(prompt.Value)).ToIntPtr();
}
catch
{
PhUtils.ShowError("You have entered an invalid address.");
return;
}
List <MemoryItem> items = new List <MemoryItem>();
foreach (MemoryItem item in _provider.Dictionary.Values)
{
items.Add(item);
}
items.Sort((i1, i2) => i1.Address.CompareTo(i2.Address));
int i = 0;
foreach (MemoryItem item in items)
{
MemoryItem regionItem = null;
if (item.Address.CompareTo(address) > 0)
{
if (i > 0)
{
regionItem = items[i - 1];
}
}
else if (item.Address.CompareTo(address) == 0)
{
regionItem = items[i];
}
if (regionItem != null && address.CompareTo(regionItem.Address) >= 0)
{
listMemory.Items[regionItem.Address.ToString()].Selected = true;
listMemory.Items[regionItem.Address.ToString()].EnsureVisible();
regionAddress = regionItem.Address;
regionSize = regionItem.Size;
found = true;
break;
}
i++;
}
if (!found)
{
PhUtils.ShowError("Unable to find the memory address.");
return;
}
MemoryEditor m_e = MemoryEditor.ReadWriteMemory(_pid, regionAddress, (int)regionSize, false,
new Program.MemoryEditorInvokeAction(delegate(MemoryEditor f) { f.Select(address.Decrement(regionAddress).ToInt64(), 1); }));
}
}
private void unloadMenuItem_Click(object sender, EventArgs e)
{
if (!PhUtils.ShowConfirmMessage(
"Unload",
_pid != 4 ? "the selected module" : "the selected driver",
_pid != 4 ?
"Unloading a module may cause the process to crash." :
"Unloading a driver may cause system instability.",
true
))
{
return;
}
if (_pid == 4)
{
try
{
var moduleItem = (ModuleItem)listModules.SelectedItems[0].Tag;
string serviceName = null;
// Try to find the name of the service key for the driver by
// looping through the objects in the Driver directory and
// opening each one.
using (var dhandle = new DirectoryHandle("\\Driver", DirectoryAccess.Query))
{
foreach (var obj in dhandle.GetObjects())
{
try
{
using (var driverHandle = new DriverHandle("\\Driver\\" + obj.Name))
{
if (driverHandle.GetBasicInformation().DriverStart == moduleItem.BaseAddress)
{
serviceName = driverHandle.GetServiceKeyName();
break;
}
}
}
catch
{ }
}
}
// If we didn't find the service name, use the driver base name.
if (serviceName == null)
{
if (moduleItem.Name.ToLower().EndsWith(".sys"))
{
serviceName = moduleItem.Name.Remove(moduleItem.Name.Length - 4, 4);
}
else
{
serviceName = moduleItem.Name;
}
}
RegistryKey servicesKey =
Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Services", true);
bool serviceKeyCreated;
RegistryKey serviceKey;
// Check if the service key exists so that we don't delete it
// later if it does.
if (Array.Exists <string>(servicesKey.GetSubKeyNames(),
(keyName) => (string.Compare(keyName, serviceName, true) == 0)))
{
serviceKeyCreated = false;
}
else
{
serviceKeyCreated = true;
// Create the service key.
serviceKey = servicesKey.CreateSubKey(serviceName);
serviceKey.SetValue("ErrorControl", 1, RegistryValueKind.DWord);
serviceKey.SetValue("ImagePath", "\\??\\" + moduleItem.FileName, RegistryValueKind.ExpandString);
serviceKey.SetValue("Start", 1, RegistryValueKind.DWord);
serviceKey.SetValue("Type", 1, RegistryValueKind.DWord);
serviceKey.Close();
servicesKey.Flush();
}
try
{
Windows.UnloadDriver(serviceName);
}
finally
{
if (serviceKeyCreated)
{
servicesKey.DeleteSubKeyTree(serviceName);
}
servicesKey.Close();
}
listModules.SelectedItems.Clear();
}
catch (Exception ex)
{
MessageBox.Show("Unable to unload the driver. Make sure Process Hacker " +
"is running with administrative privileges. Error:\n\n" +
ex.Message, "Process Hacker", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
else
{
try
{
using (ProcessHandle phandle = new ProcessHandle(_pid,
Program.MinProcessQueryRights | ProcessAccess.VmOperation |
ProcessAccess.VmRead | ProcessAccess.VmWrite | ProcessAccess.CreateThread))
{
IntPtr baseAddress = ((ModuleItem)listModules.SelectedItems[0].Tag).BaseAddress;
phandle.SetModuleReferenceCount(baseAddress, 1);
ThreadHandle thread;
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
// Use RtlCreateUserThread to bypass session boundaries. Since
// LdrUnloadDll is a native function we don't need to notify CSR.
thread = phandle.CreateThread(
Loader.GetProcedure("ntdll.dll", "LdrUnloadDll"),
baseAddress
);
}
else
{
// On XP it seems we need to notify CSR...
thread = phandle.CreateThreadWin32(
Loader.GetProcedure("kernel32.dll", "FreeLibrary"),
baseAddress
);
}
thread.Wait(1000 * Win32.TimeMsTo100Ns);
NtStatus exitStatus = thread.GetExitStatus();
if (exitStatus == NtStatus.DllNotFound)
{
if (IntPtr.Size == 8)
{
PhUtils.ShowError("Unable to find the module to unload. This may be caused " +
"by an attempt to unload a mapped file or a 32-bit module.");
}
else
{
PhUtils.ShowError("Unable to find the module to unload. This may be caused " +
"by an attempt to unload a mapped file.");
}
}
else
{
exitStatus.ThrowIf();
}
thread.Dispose();
}
listModules.SelectedItems.Clear();
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to unload the module", ex);
}
}
}
