1 #include "ProcessFun.h"
2
3 BOOL EnablePrivilege(ULONG Privilege, BOOL Enable)
4 {
5 HANDLE hToken = NULL;
6 if (!NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) || hToken == NULL)
7 return FALSE;
8
9 TOKEN_PRIVILEGES tp = {};
10 tp.PrivilegeCount = 1;
11 tp.Privileges[0].Luid.LowPart = Privilege;
12 tp.Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
13 return NT_SUCCESS(NtAdjustPrivilegesToken(hToken, FALSE, &tp, sizeof(tp), NULL, NULL));
14 }
15
16 DWORD NtEnumProcess(LPDWORD lpProcess)
17 {
18 DWORD dwSize = NULL;
19 PSYSTEM_PROCESSES lpbaSP = NULL;
20
21 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
22 return NULL;
23
24 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
25 (PVOID *)&lpbaSP,
26 NULL,
27 &dwSize,
28 MEM_COMMIT,
29 PAGE_READWRITE)) ||
30 lpbaSP == NULL)
31 return NULL;
32
33 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
34 {
35 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
36 return NULL;
37 }
38
39 DWORD dwLenth = 0;
40 PSYSTEM_PROCESSES lpSP = lpbaSP;
41 while (lpSP->NextEntryDelta != NULL)
42 {
43 lpProcess[dwLenth++] = lpSP->ProcessId;
44
45 lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
46 }
47
48 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
49
50 sort(lpProcess, lpProcess + dwLenth);
51
52 return dwLenth;
53 }
54
55 BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess)
56 {
57 SystemProcess = {};
58
59 DWORD dwSize = NULL;
60 PSYSTEM_PROCESSES lpbaSP = NULL;
61
62 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
63 return FALSE;
64
65 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
66 (PVOID *)&lpbaSP,
67 NULL,
68 &dwSize,
69 MEM_COMMIT,
70 PAGE_READWRITE)) ||
71 lpbaSP == NULL)
72 return FALSE;
73
74 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
75 {
76 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
77 return FALSE;
78 }
79
80 BOOL status = FALSE;
81 PSYSTEM_PROCESSES lpSP = lpbaSP;
82 while (lpSP->NextEntryDelta != NULL)
83 {
84 if (dwPid == lpSP->ProcessId)
85 {
86 SystemProcess = *lpSP;
87 status = TRUE;
88 break;
89 }
90
91 lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
92 }
93
94 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
95
96 return status;
97 }
98
99 HANDLE NtOpenProcess(DWORD dwPid)
100 {
101 HANDLE hProcess = NULL;
102 OBJECT_ATTRIBUTES oa = {};
103 oa.Length = sizeof(oa);
104 CLIENT_ID cid = {};
105 cid.UniqueProcess = (HANDLE)(dwPid % 4 ? dwPid : dwPid + 3);
106
107 NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
108 return hProcess;
109 }
110
111 HANDLE DoOpenProcess(DWORD dwPid)
112 {
113 PCHAR lpBuf = NULL;
114 DWORD dwPreSize = 0x1000, dwSize = NULL;
115 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
116 (PVOID *)&lpBuf,
117 NULL, &dwPreSize,
118 MEM_COMMIT, PAGE_READWRITE)) ||
119 lpBuf == NULL)
120 return NULL;
121
122 NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize);
123
124 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
125 lpBuf = NULL;
126
127 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
128 (PVOID *)&lpBuf,
129 NULL, &dwSize,
130 MEM_COMMIT,
131 PAGE_READWRITE)) ||
132 lpBuf == NULL)
133 return NULL;
134
135 NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL);
136
137 DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
138 PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle));
139
140 HANDLE hTgtProc = NULL;
141 for (DWORD i = 0; i < dwNumberOfHandle; i++, lpSHI++)
142 {
143 if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
144 continue;
145
146 HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
147 if (hSrcProc == NULL)
148 continue;
149
150 HANDLE hTmpProc = NULL;
151 NtDuplicateObject(hSrcProc,
152 (HANDLE)lpSHI->Handle,
153 NtCurrentProcess(),
154 &hTmpProc,
155 PROCESS_ALL_ACCESS,
156 NULL,
157 NULL);
158
159 PROCESS_BASIC_INFORMATION pbi = {};
160 NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
161
162 if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
163 /*{
164 hTgtProc = hTmpProc;
165 printf("%d %d 0x%llX
", lpSHI->ProcessId, pbi.UniqueProcessId, (DWORD64)lpSHI->Object);
166 }*/
167 hTgtProc = hTmpProc;
168
169 NtClose(hSrcProc);
170
171 if (hTgtProc != NULL)
172 break;
173
174 if (hTmpProc != NULL)
175 NtClose(hTmpProc);
176 }
177
178 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE);
179
180 return hTgtProc;
181 }
182
183 HANDLE PowerOpenProcess(DWORD dwPid)
184 {
185 HANDLE hProcess = NtOpenProcess(dwPid);
186
187 if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
188 return hProcess;
189
190 hProcess = DoOpenProcess(dwPid);
191 if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
192 return hProcess;
193
194 return NULL;
195 }
196
197 BOOL IsProcessExit(HANDLE hProcess)
198 {
199 DWORD dwExitCode = NULL;
200 GetExitCodeProcess(hProcess, &dwExitCode);
201
202 return dwExitCode != STILL_ACTIVE;
203 }
204
205 BOOL NtTerminateProcess(HANDLE hProcess)
206 {
207 return NT_SUCCESS(NtTerminateProcess(hProcess, NULL)) && IsProcessExit(hProcess);
208 }
209
210 BOOL JoTerminateProcess(HANDLE hProcess)
211 {
212 HANDLE hJob = NULL;
213 OBJECT_ATTRIBUTES oa = {};
214 oa.Length = sizeof(oa);
215 if (!NT_SUCCESS(NtCreateJobObject(&hJob, JOB_OBJECT_ALL_ACCESS, &oa)))
216 return FALSE;
217
218 BOOL status = NT_SUCCESS(NtAssignProcessToJobObject(hJob, hProcess));
219
220 if (status)
221 status |= NT_SUCCESS(NtTerminateJobObject(hJob, NULL));
222
223 NtClose(hJob);
224
225 return status && IsProcessExit(hProcess);
226 }
227
228 BOOL CrtTerminateProcess(HANDLE hProcess)
229 {
230 //
231
232 return FALSE;
233 }
234
235 BOOL WvmTerminateProcess(HANDLE hProcess)
236 {
237 BOOL status = FALSE;
238
239 PVOID lpBuf = NULL;
240 DWORD dwSize = 0x1000, dwRet = NULL;
241 NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, NULL, &dwSize, MEM_COMMIT, PAGE_READWRITE);
242
243 for (INT64 i = 0x70000000; i < 0x7FFEFFFF; i += dwSize)
244 {
245 status |= NT_SUCCESS(NtUnmapViewOfSection(hProcess, (PVOID)i));
246 status |= NT_SUCCESS(NtProtectVirtualMemory(hProcess, (PVOID *)i, &dwSize, PAGE_READWRITE, &dwRet));
247 status |= NT_SUCCESS(NtWriteVirtualMemory(hProcess, (PVOID)i, lpBuf, dwSize, (PULONG)&dwRet));
248 }
249
250 NtFreeVirtualMemory(hProcess, (PVOID *)&lpBuf, &dwSize, MEM_RELEASE);
251
252 if (status)
253 Sleep(1000);
254
255 return status && IsProcessExit(hProcess);
256 }
257
258 BOOL PowerTerminateProcess(HANDLE hProcess)
259 {
260 if (NtTerminateProcess(hProcess))
261 return TRUE;
262
263 if (JoTerminateProcess(hProcess))
264 return TRUE;
265
266 if (WvmTerminateProcess(hProcess))
267 return TRUE;
268
269 return FALSE;
270 }
271
272 BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath)
273 {
274 if (hProcess == NULL || lpFilePath == NULL)
275 return FALSE;
276
277 strcpy(lpFilePath, "");
278
279 CHAR szDosPath[MAX_PATH] = "";
280 if (!GetProcessImageFileNameA(hProcess, szDosPath, MAX_PATH))
281 return FALSE;
282
283 return DosPathToNtPath(szDosPath, lpFilePath);
284 }
285
286 BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath)
287 {
288 CHAR szDriveList[MAX_PATH] = "";
289 if (!GetLogicalDriveStringsA(MAX_PATH, szDriveList))
290 return FALSE;
291
292 for (int i = 0; szDriveList[i]; i += 4)
293 {
294 if (stricmp(&szDriveList[i], "A:\") == 0 || stricmp(&szDriveList[i], "B:\") == 0)
295 continue;
296
297 CHAR szNtDrive[MAX_PATH] = "", szDosDrive[MAX_PATH] = "";
298 strcpy(szNtDrive, &szDriveList[i]);
299 szNtDrive[2] = '