1 #include "ProcessFun.h"
2
3 BOOL EnablePrivilege(ULONG Privilege, BOOL Enable)
4 {
5 HANDLE hToken = NULL;
6 if (!NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) || hToken == NULL)
7 return FALSE;
8
9 TOKEN_PRIVILEGES tp = {};
10 tp.PrivilegeCount = 1;
11 tp.Privileges[0].Luid.LowPart = Privilege;
12 tp.Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
13 return NT_SUCCESS(NtAdjustPrivilegesToken(hToken, FALSE, &tp, sizeof(tp), NULL, NULL));
14 }
15
16 DWORD NtEnumProcess(LPDWORD lpProcess)
17 {
18 DWORD dwSize = NULL;
19 PSYSTEM_PROCESSES lpbaSP = NULL;
20
21 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
22 return NULL;
23
24 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
25 (PVOID *)&lpbaSP,
26 NULL,
27 &dwSize,
28 MEM_COMMIT,
29 PAGE_READWRITE)) ||
30 lpbaSP == NULL)
31 return NULL;
32
33 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
34 {
35 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
36 return NULL;
37 }
38
39 DWORD dwLenth = 0;
40 PSYSTEM_PROCESSES lpSP = lpbaSP;
41 while (lpSP->NextEntryDelta != NULL)
42 {
43 lpProcess[dwLenth++] = lpSP->ProcessId;
44
45 lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
46 }
47
48 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
49
50 sort(lpProcess, lpProcess + dwLenth);
51
52 return dwLenth;
53 }
54
55 BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess)
56 {
57 SystemProcess = {};
58
59 DWORD dwSize = NULL;
60 PSYSTEM_PROCESSES lpbaSP = NULL;
61
62 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
63 return FALSE;
64
65 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
66 (PVOID *)&lpbaSP,
67 NULL,
68 &dwSize,
69 MEM_COMMIT,
70 PAGE_READWRITE)) ||
71 lpbaSP == NULL)
72 return FALSE;
73
74 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
75 {
76 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
77 return FALSE;
78 }
79
80 BOOL status = FALSE;
81 PSYSTEM_PROCESSES lpSP = lpbaSP;
82 while (lpSP->NextEntryDelta != NULL)
83 {
84 if (dwPid == lpSP->ProcessId)
85 {
86 SystemProcess = *lpSP;
87 status = TRUE;
88 break;
89 }
90
91 lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
92 }
93
94 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
95
96 return status;
97 }
98
99 HANDLE NtOpenProcess(DWORD dwPid)
100 {
101 HANDLE hProcess = NULL;
102 OBJECT_ATTRIBUTES oa = {};
103 oa.Length = sizeof(oa);
104 CLIENT_ID cid = {};
105 cid.UniqueProcess = (HANDLE)(dwPid % 4 ? dwPid : dwPid + 3);
106
107 NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
108 return hProcess;
109 }
110
111 HANDLE DoOpenProcess(DWORD dwPid)
112 {
113 PCHAR lpBuf = NULL;
114 DWORD dwPreSize = 0x1000, dwSize = NULL;
115 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
116 (PVOID *)&lpBuf,
117 NULL, &dwPreSize,
118 MEM_COMMIT, PAGE_READWRITE)) ||
119 lpBuf == NULL)
120 return NULL;
121
122 NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize);
123
124 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
125 lpBuf = NULL;
126
127 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
128 (PVOID *)&lpBuf,
129 NULL, &dwSize,
130 MEM_COMMIT,
131 PAGE_READWRITE)) ||
132 lpBuf == NULL)
133 return NULL;
134
135 NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL);
136
137 DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
138 PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle));
139
140 HANDLE hTgtProc = NULL;
141 for (DWORD i = 0; i < dwNumberOfHandle; i++, lpSHI++)
142 {
143 if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
144 continue;
145
146 HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
147 if (hSrcProc == NULL)
148 continue;
149
150 HANDLE hTmpProc = NULL;
151 NtDuplicateObject(hSrcProc,
152 (HANDLE)lpSHI->Handle,
153 NtCurrentProcess(),
154 &hTmpProc,
155 PROCESS_ALL_ACCESS,
156 NULL,
157 NULL);
158
159 PROCESS_BASIC_INFORMATION pbi = {};
160 NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
161
162 if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
163 /*{
164 hTgtProc = hTmpProc;
165 printf("%d %d 0x%llX
", lpSHI->ProcessId, pbi.UniqueProcessId, (DWORD64)lpSHI->Object);
166 }*/
167 hTgtProc = hTmpProc;
168
169 NtClose(hSrcProc);
170
171 if (hTgtProc != NULL)
172 break;
173
174 if (hTmpProc != NULL)
175 NtClose(hTmpProc);
176 }
177
178 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE);
179
180 return hTgtProc;
181 }
182
183 HANDLE PowerOpenProcess(DWORD dwPid)
184 {
185 HANDLE hProcess = NtOpenProcess(dwPid);
186
187 if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
188 return hProcess;
189
190 hProcess = DoOpenProcess(dwPid);
191 if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
192 return hProcess;
193
194 return NULL;
195 }
196
197 BOOL IsProcessExit(HANDLE hProcess)
198 {
199 DWORD dwExitCode = NULL;
200 GetExitCodeProcess(hProcess, &dwExitCode);
201
202 return dwExitCode != STILL_ACTIVE;
203 }
204
205 BOOL NtTerminateProcess(HANDLE hProcess)
206 {
207 return NT_SUCCESS(NtTerminateProcess(hProcess, NULL)) && IsProcessExit(hProcess);
208 }
209
210 BOOL JoTerminateProcess(HANDLE hProcess)
211 {
212 HANDLE hJob = NULL;
213 OBJECT_ATTRIBUTES oa = {};
214 oa.Length = sizeof(oa);
215 if (!NT_SUCCESS(NtCreateJobObject(&hJob, JOB_OBJECT_ALL_ACCESS, &oa)))
216 return FALSE;
217
218 BOOL status = NT_SUCCESS(NtAssignProcessToJobObject(hJob, hProcess));
219
220 if (status)
221 status |= NT_SUCCESS(NtTerminateJobObject(hJob, NULL));
222
223 NtClose(hJob);
224
225 return status && IsProcessExit(hProcess);
226 }
227
228 BOOL CrtTerminateProcess(HANDLE hProcess)
229 {
230 //
231
232 return FALSE;
233 }
234
235 BOOL WvmTerminateProcess(HANDLE hProcess)
236 {
237 BOOL status = FALSE;
238
239 PVOID lpBuf = NULL;
240 DWORD dwSize = 0x1000, dwRet = NULL;
241 NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, NULL, &dwSize, MEM_COMMIT, PAGE_READWRITE);
242
243 for (INT64 i = 0x70000000; i < 0x7FFEFFFF; i += dwSize)
244 {
245 status |= NT_SUCCESS(NtUnmapViewOfSection(hProcess, (PVOID)i));
246 status |= NT_SUCCESS(NtProtectVirtualMemory(hProcess, (PVOID *)i, &dwSize, PAGE_READWRITE, &dwRet));
247 status |= NT_SUCCESS(NtWriteVirtualMemory(hProcess, (PVOID)i, lpBuf, dwSize, (PULONG)&dwRet));
248 }
249
250 NtFreeVirtualMemory(hProcess, (PVOID *)&lpBuf, &dwSize, MEM_RELEASE);
251
252 if (status)
253 Sleep(1000);
254
255 return status && IsProcessExit(hProcess);
256 }
257
258 BOOL PowerTerminateProcess(HANDLE hProcess)
259 {
260 if (NtTerminateProcess(hProcess))
261 return TRUE;
262
263 if (JoTerminateProcess(hProcess))
264 return TRUE;
265
266 if (WvmTerminateProcess(hProcess))
267 return TRUE;
268
269 return FALSE;
270 }
271
272 BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath)
273 {
274 if (hProcess == NULL || lpFilePath == NULL)
275 return FALSE;
276
277 strcpy(lpFilePath, "");
278
279 CHAR szDosPath[MAX_PATH] = "";
280 if (!GetProcessImageFileNameA(hProcess, szDosPath, MAX_PATH))
281 return FALSE;
282
283 return DosPathToNtPath(szDosPath, lpFilePath);
284 }
285
286 BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath)
287 {
288 CHAR szDriveList[MAX_PATH] = "";
289 if (!GetLogicalDriveStringsA(MAX_PATH, szDriveList))
290 return FALSE;
291
292 for (int i = 0; szDriveList[i]; i += 4)
293 {
294 if (stricmp(&szDriveList[i], "A:\") == 0 || stricmp(&szDriveList[i], "B:\") == 0)
295 continue;
296
297 CHAR szNtDrive[MAX_PATH] = "", szDosDrive[MAX_PATH] = "";
298 strcpy(szNtDrive, &szDriveList[i]);
299 szNtDrive[2] = '�';
300
301 if (!QueryDosDeviceA(szNtDrive, szDosDrive, MAX_PATH) ||
302 strncmp(szDosDrive, lpDosPath, strlen(szDosDrive)) != 0)
303 continue;
304
305 strcpy(lpNtPath, szNtDrive);
306 strcat(lpNtPath, &lpDosPath[strlen(szDosDrive)]);
307
308 return TRUE;
309 }
310
311 return FALSE;
312 }
313
314 DWORD GetEProcess(DWORD dwPid)
315 {
316 PCHAR lpBuf = NULL;
317 DWORD dwPreSize = 0x1000, dwSize = NULL;
318 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
319 (PVOID *)&lpBuf,
320 NULL, &dwPreSize,
321 MEM_COMMIT, PAGE_READWRITE)) ||
322 lpBuf == NULL)
323 return NULL;
324
325 NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize);
326
327 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
328 lpBuf = NULL;
329
330 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
331 (PVOID *)&lpBuf,
332 NULL, &dwSize,
333 MEM_COMMIT,
334 PAGE_READWRITE)) ||
335 lpBuf == NULL)
336 return NULL;
337
338 NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL);
339
340 DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
341 PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle));
342
343 DWORD dwEProcess = NULL;
344 for (DWORD i = 0; i < dwNumberOfHandle; i++, lpSHI++)
345 {
346 if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
347 continue;
348
349 HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
350 if (hSrcProc == NULL)
351 continue;
352
353 HANDLE hTmpProc = NULL;
354 NtDuplicateObject(hSrcProc,
355 (HANDLE)lpSHI->Handle,
356 NtCurrentProcess(),
357 &hTmpProc,
358 PROCESS_ALL_ACCESS,
359 NULL,
360 NULL);
361
362 PROCESS_BASIC_INFORMATION pbi = {};
363 NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
364
365 if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
366 dwEProcess = (DWORD)lpSHI->Object;
367
368 NtClose(hSrcProc);
369
370 if (dwEProcess != NULL)
371 break;
372
373 if (hTmpProc != NULL)
374 NtClose(hTmpProc);
375 }
376
377 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE);
378
379 return dwEProcess;
380 }
381
382 DWORD GetParentProcessId(DWORD dwPid)
383 {
384 SYSTEM_PROCESSES sp = {};
385 GetSystemProcess(dwPid, sp);
386
387 return sp.InheritedFromProcessId;
388 }
389
390 BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName)
391 {
392 strcpy(lpProcessName, "");
393
394 DWORD dwSize = NULL;
395 PSYSTEM_PROCESSES lpbaSP = NULL;
396
397 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
398 return FALSE;
399
400 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
401 (PVOID *)&lpbaSP,
402 NULL,
403 &dwSize,
404 MEM_COMMIT,
405 PAGE_READWRITE)) ||
406 lpbaSP == NULL)
407 return FALSE;
408
409 if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
410 {
411 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
412 return FALSE;
413 }
414
415 BOOL status = FALSE;
416 PSYSTEM_PROCESSES lpSP = lpbaSP;
417 while (lpSP->NextEntryDelta != NULL)
418 {
419 if (dwPid == lpSP->ProcessId)
420 {
421 wcstombs(lpProcessName, lpSP->ProcessName.Buffer, MAX_PATH);
422 status = TRUE;
423 break;
424 }
425
426 lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
427 }
428
429 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
430
431 return status;
432 }
433
434 LARGE_INTEGER GetProcessCreateTime(DWORD dwPid)
435 {
436 SYSTEM_PROCESSES sp = {};
437 GetSystemProcess(dwPid, sp);
438
439 return sp.CreateTime;
440 }
