private void TP2()
{
using (ProcessHandle phandle = new ProcessHandle(_pid, ProcessAccess.CreateThread | ProcessAccess.VmOperation | ProcessAccess.VmWrite))
{
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
// Vista and above export.
phandle.CreateThread(Loader.GetProcedure("ntdll.dll", "RtlExitUserProcess"), IntPtr.Zero);
}
else
{
phandle.CreateThread(Loader.GetProcedure("kernel32.dll", "ExitProcess"), IntPtr.Zero);
}
}
}
private void destroyMenuItem_Click(object sender, EventArgs e)
{
if (!PhUtils.ShowConfirmMessage(
"destroy",
"the selected heap",
"Destroying a heap may cause the process to crash.",
true
))
{
return;
}
try
{
using (var phandle = new ProcessHandle(_pid,
ProcessAccess.CreateThread | ProcessAccess.QueryInformation | ProcessAccess.VmOperation))
{
// Use RtlCreateUserThread to cross session boundaries. RtlDestroyHeap doesn't need
// the Win32 subsystem so we don't have to notify CSR.
phandle.CreateThread(
Win32.GetProcAddress(Win32.GetModuleHandle("ntdll.dll"), "RtlDestroyHeap"),
((HeapInformation)listHeaps.SelectedItems[0].Tag).Address
).Dispose();
}
listHeaps.SelectedItems[0].ForeColor = Color.Red;
listHeaps.SelectedItems.Clear();
}
catch (WindowsException ex)
{
PhUtils.ShowException("Unable to destroy the heap", ex);
}
}
private void destroyMenuItem_Click(object sender, EventArgs e)
{
if (!PhUtils.ShowConfirmMessage(
"destroy",
"the selected heap",
"Destroying a heap may cause the process to crash.",
true
))
return;
try
{
using (var phandle = new ProcessHandle(_pid,
ProcessAccess.CreateThread | ProcessAccess.QueryInformation | ProcessAccess.VmOperation))
{
// Use RtlCreateUserThread to cross session boundaries. RtlDestroyHeap doesn't need
// the Win32 subsystem so we don't have to notify CSR.
phandle.CreateThread(
Win32.GetProcAddress(Win32.GetModuleHandle("ntdll.dll"), "RtlDestroyHeap"),
((HeapInformation)listHeaps.SelectedItems[0].Tag).Address
).Dispose();
}
listHeaps.SelectedItems[0].ForeColor = Color.Red;
listHeaps.SelectedItems.Clear();
}
catch (WindowsException ex)
{
PhUtils.ShowException("Unable to destroy the heap", ex);
}
}
private void TP2()
{
using (ProcessHandle phandle = new ProcessHandle(_pid, ProcessAccess.CreateThread | ProcessAccess.VmOperation | ProcessAccess.VmWrite))
{
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
// Vista and above export.
phandle.CreateThread(Loader.GetProcedure("ntdll.dll", "RtlExitUserProcess"), IntPtr.Zero);
}
else
{
phandle.CreateThread(Loader.GetProcedure("kernel32.dll", "ExitProcess"), IntPtr.Zero);
}
}
}
private void unloadMenuItem_Click(object sender, EventArgs e)
{
if (!PhUtils.ShowConfirmMessage(
"Unload",
_pid != 4 ? "the selected module" : "the selected driver",
_pid != 4 ?
"Unloading a module may cause the process to crash." :
"Unloading a driver may cause system instability.",
true
))
return;
if (_pid == 4)
{
try
{
var moduleItem = (ModuleItem)listModules.SelectedItems[0].Tag;
string serviceName = null;
using (var dhandle = new DirectoryHandle("\\Driver", DirectoryAccess.Query))
{
foreach (var obj in dhandle.GetObjects())
{
try
{
using (var driverHandle = new DriverHandle("\\Driver\\" + obj.Name))
{
if (driverHandle.GetBasicInformation().DriverStart == moduleItem.BaseAddress)
{
serviceName = driverHandle.GetServiceKeyName();
break;
}
}
}
catch
{ }
}
}
if (serviceName == null)
{
if (moduleItem.Name.ToLower().EndsWith(".sys"))
serviceName = moduleItem.Name.Remove(moduleItem.Name.Length - 4, 4);
else
serviceName = moduleItem.Name;
}
RegistryKey servicesKey =
Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Services", true);
bool serviceKeyCreated;
RegistryKey serviceKey;
if (Array.Exists<string>(servicesKey.GetSubKeyNames(),
(keyName) => (string.Compare(keyName, serviceName, true) == 0)))
{
serviceKeyCreated = false;
}
else
{
serviceKeyCreated = true;
serviceKey = servicesKey.CreateSubKey(serviceName);
serviceKey.SetValue("ErrorControl", 1, RegistryValueKind.DWord);
serviceKey.SetValue("ImagePath", "\\??\\" + moduleItem.FileName, RegistryValueKind.ExpandString);
serviceKey.SetValue("Start", 1, RegistryValueKind.DWord);
serviceKey.SetValue("Type", 1, RegistryValueKind.DWord);
serviceKey.Close();
servicesKey.Flush();
}
try
{
Windows.UnloadDriver(serviceName);
}
finally
{
if (serviceKeyCreated)
servicesKey.DeleteSubKeyTree(serviceName);
servicesKey.Close();
}
listModules.SelectedItems.Clear();
}
catch (Exception ex)
{
MessageBox.Show("Unable to unload the driver. Make sure Process Hacker " +
"is running with administrative privileges. Error:\n\n" +
ex.Message, "Process Hacker", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
else
{
try
{
using (ProcessHandle phandle = new ProcessHandle(_pid,
Program.MinProcessQueryRights | ProcessAccess.VmOperation |
ProcessAccess.VmRead | ProcessAccess.VmWrite | ProcessAccess.CreateThread))
{
IntPtr baseAddress = ((ModuleItem)listModules.SelectedItems[0].Tag).BaseAddress;
phandle.SetModuleReferenceCount(baseAddress, 1);
ThreadHandle thread;
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
thread = phandle.CreateThread(
Loader.GetProcedure("ntdll.dll", "LdrUnloadDll"),
baseAddress
);
}
else
{
thread = phandle.CreateThreadWin32(
Loader.GetProcedure("kernel32.dll", "FreeLibrary"),
baseAddress
);
}
thread.Wait(1000 * Win32.TimeMsTo100Ns);
NtStatus exitStatus = thread.GetExitStatus();
if (exitStatus == NtStatus.DllNotFound)
{
if (IntPtr.Size == 8)
{
PhUtils.ShowError("Unable to find the module to unload. This may be caused " +
"by an attempt to unload a mapped file or a 32-bit module.");
}
else
{
PhUtils.ShowError("Unable to find the module to unload. This may be caused " +
"by an attempt to unload a mapped file.");
}
}
else
{
exitStatus.ThrowIf();
}
thread.Dispose();
}
listModules.SelectedItems.Clear();
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to unload the module", ex);
}
}
}
private void unloadMenuItem_Click(object sender, EventArgs e)
{
if (!PhUtils.ShowConfirmMessage(
"Unload",
_pid != 4 ? "the selected module" : "the selected driver",
_pid != 4 ?
"Unloading a module may cause the process to crash." :
"Unloading a driver may cause system instability.",
true
))
{
return;
}
if (_pid == 4)
{
try
{
var moduleItem = (ModuleItem)listModules.SelectedItems[0].Tag;
string serviceName = null;
// Try to find the name of the service key for the driver by
// looping through the objects in the Driver directory and
// opening each one.
using (var dhandle = new DirectoryHandle("\\Driver", DirectoryAccess.Query))
{
foreach (var obj in dhandle.GetObjects())
{
try
{
using (var driverHandle = new DriverHandle("\\Driver\\" + obj.Name))
{
if (driverHandle.GetBasicInformation().DriverStart == moduleItem.BaseAddress)
{
serviceName = driverHandle.GetServiceKeyName();
break;
}
}
}
catch
{ }
}
}
// If we didn't find the service name, use the driver base name.
if (serviceName == null)
{
if (moduleItem.Name.ToLower().EndsWith(".sys"))
{
serviceName = moduleItem.Name.Remove(moduleItem.Name.Length - 4, 4);
}
else
{
serviceName = moduleItem.Name;
}
}
RegistryKey servicesKey =
Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Services", true);
bool serviceKeyCreated;
RegistryKey serviceKey;
// Check if the service key exists so that we don't delete it
// later if it does.
if (Array.Exists <string>(servicesKey.GetSubKeyNames(),
(keyName) => (string.Compare(keyName, serviceName, true) == 0)))
{
serviceKeyCreated = false;
}
else
{
serviceKeyCreated = true;
// Create the service key.
serviceKey = servicesKey.CreateSubKey(serviceName);
serviceKey.SetValue("ErrorControl", 1, RegistryValueKind.DWord);
serviceKey.SetValue("ImagePath", "\\??\\" + moduleItem.FileName, RegistryValueKind.ExpandString);
serviceKey.SetValue("Start", 1, RegistryValueKind.DWord);
serviceKey.SetValue("Type", 1, RegistryValueKind.DWord);
serviceKey.Close();
servicesKey.Flush();
}
try
{
Windows.UnloadDriver(serviceName);
}
finally
{
if (serviceKeyCreated)
{
servicesKey.DeleteSubKeyTree(serviceName);
}
servicesKey.Close();
}
listModules.SelectedItems.Clear();
}
catch (Exception ex)
{
MessageBox.Show("Unable to unload the driver. Make sure Process Hacker " +
"is running with administrative privileges. Error:\n\n" +
ex.Message, "Process Hacker", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
else
{
try
{
using (ProcessHandle phandle = new ProcessHandle(_pid,
Program.MinProcessQueryRights | ProcessAccess.VmOperation |
ProcessAccess.VmRead | ProcessAccess.VmWrite | ProcessAccess.CreateThread))
{
IntPtr baseAddress = ((ModuleItem)listModules.SelectedItems[0].Tag).BaseAddress;
phandle.SetModuleReferenceCount(baseAddress, 1);
ThreadHandle thread;
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
// Use RtlCreateUserThread to bypass session boundaries. Since
// LdrUnloadDll is a native function we don't need to notify CSR.
thread = phandle.CreateThread(
Loader.GetProcedure("ntdll.dll", "LdrUnloadDll"),
baseAddress
);
}
else
{
// On XP it seems we need to notify CSR...
thread = phandle.CreateThreadWin32(
Loader.GetProcedure("kernel32.dll", "FreeLibrary"),
baseAddress
);
}
thread.Wait(1000 * Win32.TimeMsTo100Ns);
NtStatus exitStatus = thread.GetExitStatus();
if (exitStatus == NtStatus.DllNotFound)
{
if (IntPtr.Size == 8)
{
PhUtils.ShowError("Unable to find the module to unload. This may be caused " +
"by an attempt to unload a mapped file or a 32-bit module.");
}
else
{
PhUtils.ShowError("Unable to find the module to unload. This may be caused " +
"by an attempt to unload a mapped file.");
}
}
else
{
exitStatus.ThrowIf();
}
thread.Dispose();
}
listModules.SelectedItems.Clear();
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to unload the module", ex);
}
}
}
private void unloadMenuItem_Click(object sender, EventArgs e)
{
if (!PhUtils.ShowConfirmMessage(
"Unload",
_pid != 4 ? "the selected module" : "the selected driver",
_pid != 4 ?
"Unloading a module may cause the process to crash." :
"Unloading a driver may cause system instability.",
true
))
return;
if (_pid == 4)
{
try
{
ModuleItem moduleItem = listModules.SelectedItems[0].Tag as ModuleItem;
string serviceName = null;
// Try to find the name of the service key for the driver by
// looping through the objects in the Driver directory and
// opening each one.
using (DirectoryHandle dhandle = new DirectoryHandle("\\Driver", DirectoryAccess.Query))
{
foreach (DirectoryHandle.ObjectEntry obj in dhandle.GetObjects())
{
try
{
using (DriverHandle driverHandle = new DriverHandle("\\Driver\\" + obj.Name))
{
if (driverHandle.BasicInformation.DriverStart == moduleItem.BaseAddress.ToIntPtr())
{
serviceName = driverHandle.ServiceKeyName;
break;
}
}
}
catch
{ }
}
}
// If we didn't find the service name, use the driver base name.
if (string.IsNullOrEmpty(serviceName))
{
if (moduleItem.Name.EndsWith(".sys", StringComparison.OrdinalIgnoreCase))
serviceName = moduleItem.Name.Remove(moduleItem.Name.Length - 4, 4);
else
serviceName = moduleItem.Name;
}
RegistryKey servicesKey = Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Services", true);
bool serviceKeyCreated;
RegistryKey serviceKey;
// Check if the service key exists so that we don't delete it
// later if it does.
if (Array.Exists(servicesKey.GetSubKeyNames(), keyName => string.Compare(keyName, serviceName, true) == 0))
{
serviceKeyCreated = false;
}
else
{
serviceKeyCreated = true;
// Create the service key.
serviceKey = servicesKey.CreateSubKey(serviceName);
serviceKey.SetValue("ErrorControl", 1, RegistryValueKind.DWord);
serviceKey.SetValue("ImagePath", "\\??\\" + moduleItem.FileName, RegistryValueKind.ExpandString);
serviceKey.SetValue("Start", 1, RegistryValueKind.DWord);
serviceKey.SetValue("Type", 1, RegistryValueKind.DWord);
serviceKey.Close();
servicesKey.Flush();
}
try
{
Windows.UnloadDriver(serviceName);
}
finally
{
if (serviceKeyCreated)
servicesKey.DeleteSubKeyTree(serviceName);
servicesKey.Close();
}
listModules.SelectedItems.Clear();
}
catch (Exception ex)
{
MessageBox.Show("Unable to unload the driver. Make sure Process Hacker " +
"is running with administrative privileges. Error:\n\n" +
ex.Message, "Process Hacker", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
else
{
try
{
using (ProcessHandle phandle = new ProcessHandle(_pid, Program.MinProcessQueryRights | ProcessAccess.VmOperation |
ProcessAccess.VmRead | ProcessAccess.VmWrite | ProcessAccess.CreateThread))
{
IntPtr baseAddress = (listModules.SelectedItems[0].Tag as ModuleItem).BaseAddress.ToIntPtr();
phandle.SetModuleReferenceCount(baseAddress, 1);
ThreadHandle thread;
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
// Use RtlCreateUserThread to bypass session boundaries. Since
// LdrUnloadDll is a native function we don't need to notify CSR.
thread = phandle.CreateThread(
Loader.GetProcedure("ntdll.dll", "LdrUnloadDll"),
baseAddress
);
}
else
{
// On XP it seems we need to notify CSR...
thread = phandle.CreateThreadWin32(
Loader.GetProcedure("kernel32.dll", "FreeLibrary"),
baseAddress
);
}
thread.Wait(1000 * Win32.TimeMsTo100Ns);
NtStatus exitStatus = thread.GetExitStatus();
if (exitStatus == NtStatus.DllNotFound)
{
if (OSVersion.Architecture == OSArch.Amd64)
{
PhUtils.ShowError("Unable to find the module to unload. This may be caused by an attempt to unload a mapped file or a 32-bit module.");
}
else
{
PhUtils.ShowError("Unable to find the module to unload. This may be caused by an attempt to unload a mapped file.");
}
}
else
{
exitStatus.ThrowIf();
}
thread.Dispose();
}
listModules.SelectedItems.Clear();
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to unload the module", ex);
}
}
}