中交建设 招标有限公司网站,石大远程网页设计与网站建设答案,网站开发 性能方面,有关网站开发的论文windows 显示进程地址空间
windows 显示进程地址空间 文章目录 windows 显示进程地址空间显示进程地址空间 显示进程地址空间
/*
3-ProcessInfo.cpp
显示进程地址空间
*/#include ..\\CommonFiles\\CmnHdr.h
#include ..\\CommonFiles\\Toolhelp.h#i…windows 显示进程地址空间
windows 显示进程地址空间 文章目录 windows 显示进程地址空间显示进程地址空间 显示进程地址空间
/*
3-ProcessInfo.cpp
显示进程地址空间
*/#include ..\\CommonFiles\\CmnHdr.h
#include ..\\CommonFiles\\Toolhelp.h#include resource.h
#include windowsx.h
#include stdarg.h
#include stdio.h#include winternl.h //用于windows内部声明
#include AclAPI.h //用于ACL访问控制器列表管理
#include Shlwapi.h //用于windows shell strFormatKBSize.
#include ShlObj.h //为IsUserAnAdmin测试当前用户是否是管理员组的成员。
#include AclAPI.h //用于ACL/ACE函数#include tchar.h
#include strsafe.h#pragma comment (lib,shlwapi.lib)//shell 轻型使用工具函数库
#pragma comment (lib,shell32.lib)//
//NTQueryInformationProcess在winternl.h中定义
typedef NTSTATUS(CALLBACK* PFN_NTQUERYINFORMATIONPROCESS)(HANDLE ProcessHandle,PROCESSINFOCLASS ProcessInformationClass,PVOID ProcessInformation,ULONG ProcessInformationLength,PULONG ReturnLength OPTIONAL);typedef struct
{DWORD Filler[4];DWORD InfoBlockAddress;
}__PEB;typedef struct
{DWORD Filler[17];DWORD wszCmdLineAddress;
}__INFOBLOCK;//
/*
PEB(process Environment Block)是一个未公开的结构体
typedef struct _PEB{BYTE Reserved1[2];//2字节BYTE BeingDegged; //1BYTE Reserved2[1];//1PVOID Reserved3[2]//2*48PPED_LDR_DATA Ldr; //4PRTL_USER_PROCESS_PARAMETERS ProcessParamters;BYTE Reserved4[104];PVOID Reserved5[52];PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;BYTE Reserved6[128];PVOID Reserved7[1];ULONG SessionId;}PEB,*PPEB;typedef struct _RTL_USER_PROCESS_PARAMETERS{BYTE Reserved1[16];16字节PVOID Reserved2[10];UNICODE_STRING ImagePathName;UNICODE_STRING CommandLine;}RTL_USER_PROCESS_PARAMETERS,*PRTL_USER_PROCESS_PARAMETERS}
*/
//全局变量
//指示由GetTokenInformation函数查询的令牌的提升类型
TOKEN_ELEVATION_TYPE s_elevationType TokenElevationTypeDefault;
BOOL s_bIsAdmin FALSE;//是否未管理员
const int s_cchAddress sizeof(PVOID) * 2;
//函数原型
INT_PTR WINAPI Dlg_Proc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
BOOL Dlg_OnInitDialog(HWND hwnd, HWND hwndFocus, LPARAM lParam);
BOOL Dlg_OnSize(HWND hwnd, UINT state, int cx, int cy);
void Dlg_OnCommand(HWND hwnd, int id, HWND hwndCtrl, UINT codeNotify);
DWORD StartElevatedProcess(LPCTSTR szExecutable, LPCTSTR szCmdLine);
BOOL GetProcessElevation(TOKEN_ELEVATION_TYPE* pElevationType, BOOL* pIsAdmin);
VOID ShowModeleInfo(HWND hwnd, PCTSTR pszModulePath);
VOID ShowProcessInfo(HWND hwnd, DWORD dwProcessID);
VOID FormatSizeInKB(DWORD dwSize, DWORD nCharacters,LPTSTR szSize,size_t cchSize);BOOL GetProcessOwner(DWORD PID, LPTSTR szOwner, DWORD cchSize);
BOOL GetProcessOwner(HANDLE hProcess, LPTSTR szOwner, size_t cchSize);
BOOL GetProcessCmdLine(DWORD PID, LPTSTR szCmdLine, DWORD Size);
BOOL GetProcessCmdLine(HANDLE hProcess, LPTSTR szCmdLine, DWORD Size);
NTSTATUS _NtQueryInformationProcess(HANDLE hProcess, PROCESSINFOCLASS pic,PVOID pPI, ULONG cbSize, PULONG pLength);VOID Dlg_PopulateModuleList(HWND hwnd);
VOID Dlg_PopulateProcessList(HWND hwnd);
BOOL GetProcessIntegrityLevel(DWORD PID, PDWORD pIntegrityLevel,PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy);
BOOL GetProcessIntegrityLevel(HANDLE hProcess, PDWORD pIntegrityLevel,PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy);
void AddText(HWND hwnd, PCTSTR pszFormat, ...);
PVOID GetModulePreferredBaseAddr(DWORD dwProcessId, PVOID pvModuleRemote);BOOL GetProcessOwner(HANDLE hProcess, LPTSTR szOwner, size_t cchSize) {// Sanity checksif ((szOwner NULL) || (cchSize 0))return(FALSE);// Default valueszOwner[0] TEXT(\0);// Gget process tokenHANDLE hToken NULL;CToolhelp::EnablePrivilege(SE_TCB_NAME, TRUE);if (!OpenProcessToken(hProcess, TOKEN_QUERY, hToken)) {CToolhelp::EnablePrivilege(SE_TCB_NAME, FALSE);return(FALSE);}// Obtain the size of the user information in the token.DWORD cbti 0;GetTokenInformation(hToken, TokenUser, NULL, 0, cbti);// Call should have failed due to zero-length buffer.if (GetLastError() ERROR_INSUFFICIENT_BUFFER) {// Allocate buffer for user information in the token.PTOKEN_USER ptiUser (PTOKEN_USER)HeapAlloc(GetProcessHeap(), 0, cbti);if (ptiUser ! NULL) {// Retrieve the user information from the token.if (GetTokenInformation(hToken, TokenUser, ptiUser, cbti, cbti)) {SID_NAME_USE snu;TCHAR szUser[MAX_PATH];DWORD chUser MAX_PATH;PDWORD pcchUser chUser;TCHAR szDomain[MAX_PATH];DWORD chDomain MAX_PATH;PDWORD pcchDomain chDomain;// Retrieve user name and domain name based on users SID.if (LookupAccountSid(NULL,ptiUser-User.Sid,szUser,pcchUser,szDomain,pcchDomain,snu)) {// build the owner string as \\DomainName\UserName_tcscpy_s(szOwner, cchSize, TEXT(\\\\));_tcscat_s(szOwner, cchSize, szDomain);_tcscat_s(szOwner, cchSize, TEXT(\\));_tcscat_s(szOwner, cchSize, szUser);}}// Dont forget to free memory bufferHeapFree(GetProcessHeap(), 0, ptiUser);}}// Dont forget to free process tokenCloseHandle(hToken);// Restore privilegesCToolhelp::EnablePrivilege(SE_TCB_NAME, TRUE);return(TRUE);
}BOOL GetProcessOwner(DWORD PID, LPTSTR szOwner, DWORD cchSize) {// Sanity checksif ((PID 0) || (szOwner NULL))return(FALSE);// Check if we can get information for this processHANDLE hProcess OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID);if (hProcess NULL)return(FALSE);BOOL bReturn GetProcessOwner(hProcess, szOwner, cchSize);// Dont forget to release the process handleCloseHandle(hProcess);return(bReturn);
}NTSTATUS _NtQueryInformationProcess(HANDLE hProcess,PROCESSINFOCLASS pic,PVOID pPI,ULONG cbSize,PULONG pLength
) {HMODULE hNtDll LoadLibrary(TEXT(ntdll.dll));if (hNtDll NULL) {return(-1);}NTSTATUS lStatus -1; // error by default.// Note that function name is not UNICODEPFN_NTQUERYINFORMATIONPROCESS pfnNtQIP (PFN_NTQUERYINFORMATIONPROCESS)GetProcAddress(hNtDll, NtQueryInformationProcess);if (pfnNtQIP ! NULL) {lStatus pfnNtQIP(hProcess, pic, pPI, cbSize, pLength);}FreeLibrary(hNtDll);return(lStatus);
}///
int WINAPI _tWinMain(HINSTANCE hInstanceExe, HINSTANCE, PTSTR pszCmdLine, int)
{//打开调试权限以运行应用程序查看服务应用CToolhelp::EnablePrivilege(SE_DEBUG_NAME, TRUE);//打开访问SACL权限--访问控制权限CToolhelp::EnablePrivilege(SE_SECURITY_NAME, TRUE);//显示主窗口DialogBox(hInstanceExe, MAKEINTRESOURCE(IDD_PROCESSINFO), NULL, Dlg_Proc);CToolhelp::EnablePrivilege(SE_SECURITY_NAME, FALSE);CToolhelp::EnablePrivilege(SE_DEBUG_NAME, FALSE);return (0);
}INT_PTR WINAPI Dlg_Proc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{switch (uMsg){chHANDLE_DLGMSG(hwnd, WM_INITDIALOG, Dlg_OnInitDialog);chHANDLE_DLGMSG(hwnd, WM_SIZE, Dlg_OnSize);chHANDLE_DLGMSG(hwnd, WM_COMMAND, Dlg_OnCommand);}return(FALSE);
}BOOL Dlg_OnInitDialog(HWND hwnd, HWND hwndFocus, LPARAM lParam)
{chSETDLGICONS(hwnd, IDI_PROCESSINFO);//当提升权限或者禁用UAC时吗管理员特权被设置为TRUEBOOL bCanReadSystemProcesses FALSE;//显示是否正在运行“Filter Token”if (GetProcessElevation(s_elevationType,s_bIsAdmin)){//提升标题的前缀TCHAR szTitle[64];switch (s_elevationType){//默认用户活禁用UACcase TokenElevationTypeDefault:if (IsUserAnAdmin()){_tcscpy_s(szTitle, _countof(szTitle), TEXT(Default Administrator));bCanReadSystemProcesses TRUE;}else{_tcscpy_s(szTitle, _countof(szTitle), TEXT(Default: ));}break;//进程权限被提升成功case TokenElevationTypeFull:if (IsUserAnAdmin()){_tcscpy_s(szTitle, _countof(szTitle), TEXT(Elevated Administorator));bCanReadSystemProcesses TRUE;}else{_tcscpy_s(szTitle, _countof(szTitle), TEXT(Elevated: ));}break;//进程运行与受限筛选令牌下case TokenElevationTypeLimited:if (s_bIsAdmin){_tcscpy_s(szTitle, _countof(szTitle), TEXT(Filtered Administrator));}else{_tcscpy_s(szTitle, _countof(szTitle), TEXT(Filtered: ));}break;}//根据提示类型更新对话框标题GetWindowText(hwnd, _tcschr(szTitle, TEXT(\0)),_countof(szTitle) - _tcslen(szTitle));SetWindowText(hwnd, szTitle);//增加“循牌”图标以运行用户以提升的权限来运行程序if (!bCanReadSystemProcesses){Button_SetElevationRequiredState(GetDlgItem(hwnd, IDC_BTN_SYSTEM_PROCESSES),!bCanReadSystemProcesses);}else{//已经提升权限则不不需要显示按钮ShowWindow(GetDlgItem(hwnd, IDC_BTN_SYSTEM_PROCESSES), SW_HIDE);//将组合列表框扩展到整个对话框的宽度MoveWindow(GetDlgItem(hwnd, IDC_BTN_SYSTEM_PROCESSES),0,0,0,0,FALSE);}}//隐藏“模块帮助”列表框ShowWindow(GetDlgItem(hwnd, IDC_MODULEHELP), SW_HIDE);//使输出窗口使用等宽字体SetWindowFont(GetDlgItem(hwnd, IDC_RESULTS),GetStockFont(ANSI_FIXED_FONT), FALSE);//默认下显示运行中的进程Dlg_PopulateProcessList(hwnd);return (TRUE);
}//
BOOL Dlg_OnSize(HWND hwnd, UINT state, int cx, int cy)
{RECT btnRect;HWND hwndCtrl GetDlgItem(hwnd, IDC_BTN_SYSTEM_PROCESSES);GetClientRect(hwndCtrl, btnRect);RECT rc;int n LOWORD(GetDialogBaseUnits());//字体的宽度hwndCtrl GetDlgItem(hwnd, IDC_PROCESSMODULELIST);GetClientRect(hwndCtrl, rc);SetWindowPos(hwndCtrl, NULL,n n btnRect.right,//按钮宽度一个字符宽度n,//y一个字符的高度cx - n - n - n - btnRect.right,//Combox宽度右边距留一字符宽度rc.bottom,SWP_NOZORDER);hwndCtrl GetDlgItem(hwnd, IDC_RESULTS);SetWindowPos(hwndCtrl, NULL,n,n rc.bottom n,cx - n - n,cy - (n rc.bottom n) - n,SWP_NOZORDER);return 0;
}//
void Dlg_OnCommand(HWND hwnd, int id, HWND hwndCtrl, UINT codeNotify)
{static BOOL s_fProcesses TRUE;switch (id){case IDCANCEL:EndDialog(hwnd, id);break;//以管理员身份重启应用程序case IDC_BTN_SYSTEM_PROCESSES:{//case分支里面定义变量要加大括号ShowWindow(hwnd, SW_HIDE);TCHAR szApplication[MAX_PATH];DWORD cchLength _countof(szApplication);//获取进程的完整银蛇名称//第二个参为0表示使用win32路径格式PROCESS_NAME_NATIVE,表示使用本地系统路径格式//第四个参数返回字符串中字符的个数不含\0)QueryFullProcessImageName(GetCurrentProcess(), 0, szApplication, cchLength);DWORD dwStatus StartElevatedProcess(szApplication, NULL);//手动提升权限if (dwStatus S_OK){//不需要极限在低特权下工作退出本进程ExitProcess(0);}//否则新进程如果启动失败重新显示本进程的主窗口ShowWindow(hwnd, SW_SHOWNORMAL);}break;//Processes菜单case ID_PROCESSES:s_fProcesses TRUE;//MF_BYCOMMAND:通过ID定位EnableMenuItem(GetMenu(hwnd), ID_VMMAP, MF_BYCOMMAND | MF_ENABLED);DrawMenuBar(hwnd);Dlg_PopulateProcessList(hwnd);break;//modules菜单项case ID_MODULES:EnableMenuItem(GetMenu(hwnd), ID_VMMAP,MF_BYCOMMAND|MF_GRAYED);DrawMenuBar(hwnd);s_fProcesses FALSE;Dlg_PopulateModuleList(hwnd);break;case IDC_PROCESSMODULELIST:if (codeNotify CBN_SELCHANGE){DWORD dw ComboBox_GetCurSel(hwndCtrl);if (s_fProcesses){dw (DWORD)ComboBox_GetItemData(hwndCtrl, dw);//process idShowProcessInfo(GetDlgItem(hwnd, IDC_RESULTS), dw);}else{//完整路径的索引在helper listbox中dw (DWORD)ComboBox_GetItemData(hwndCtrl, dw);TCHAR szModulePath[1024];ListBox_GetText(GetDlgItem(hwnd, IDC_MODULEHELP),dw, szModulePath);ShowModeleInfo(GetDlgItem(hwnd, IDC_RESULTS), szModulePath);}}break;//VMAP菜单0case ID_VMMAP:{TCHAR szCmdLine[32];//下拉列表框HWND hwndCB GetDlgItem(hwnd, IDC_PROCESSMODULELIST);DWORD dwProcessId (DWORD)ComboBox_GetItemData(hwndCB, ComboBox_GetCurSel(hwndCB));StringCchPrintf(szCmdLine, _countof(szCmdLine), TEXT(%d),dwProcessId);DWORD dwStatus StartElevatedProcess(TEXT(\14-VMMap.exe\), szCmdLine);//以管理员身份运行14-VMMap.exe程序时会进行提升权限的询问如果时用户拒绝//则显示下列消息框if (dwStatus ERROR_CANCELLED){chMB(Failed to run 14-VMMap.exe:you refused access.);}}break;}
}//手动提升权限
DWORD StartElevatedProcess(LPCTSTR szExecutable, LPCTSTR szCmdLine)
{//初始化结构体SHELLEXECUTEINFO sei { sizeof(SHELLEXECUTEINFO) };//请求管理员身份sei.lpVerb TEXT(runas);//run administrator?//传入要提高权限的应用城项名sei.lpFile szExecutable;//传入命令行参数sei.lpParameters szCmdLine;//窗口正常显示否则新启动的进程七窗口将被隐藏sei.nShow SW_SHOWNORMAL;ShellExecuteEx(sei);return (GetLastError());
}//获取令牌提升的类型机判断当前进程是否以管理员身份运行
BOOL GetProcessElevation(TOKEN_ELEVATION_TYPE* pElevationType, BOOL* pIsAdmin)
{HANDLE hToken NULL;DWORD dwSize;//获取当前进程的Token if (!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,hToken)){return (FALSE);}BOOL bResult FALSE;//获取提升类型if (GetTokenInformation(hToken,TokenElevationType,pElevationType,sizeof(TOKEN_ELEVATION_TYPE),dwSize)){//创建管理员组的SIDbyte adminSID[SECURITY_MAX_SID_SIZE];dwSize sizeof(adminSID);CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, adminSID,dwSize);//筛选令牌if (*pElevationType TokenElevationTypeLimited){//取地与筛选令牌关联的未筛选令牌HANDLE hUnfilTeredToken NULL;GetTokenInformation(hToken, TokenLinkedToken, (void*)hUnfilTeredToken, sizeof(HANDLE), dwSize);//通过初始未被筛选的令牌判断是否包含管理员SIDif (CheckTokenMembership(hUnfilTeredToken,adminSID,pIsAdmin)){bResult TRUE;}//关闭未筛选的令牌CloseHandle(hUnfilTeredToken);}else{//未筛选令牌*pIsAdmin IsUserAnAdmin();bResult TRUE;}}//关闭当前进程的令牌CloseHandle(hToken);return (bResult);
}VOID ShowModeleInfo(HWND hwnd, PCTSTR pszModulePath)
{SetWindowText(hwnd, TEXT( ));//Clear the output box CToolhelp thProcesses(TH32CS_SNAPPROCESS);PROCESSENTRY32 pe { sizeof(pe) };BOOL fOk thProcesses.ProcessFirst(pe);AddText(hwnd, TEXT(Pathname:%s\r\n\r\n), pszModulePath);AddText(hwnd, TEXT(Process Informaton:\r\n));AddText(hwnd, TEXT( PID %-*s Process\r\n),s_cchAddress, TEXT(BaseAddr));for (; fOk; fOk thProcesses.ProcessNext(pe)){CToolhelp thModules(TH32CS_SNAPMODULE, pe.th32ProcessID);MODULEENTRY32 me { sizeof(me) };BOOL fOk thModules.ModuleFirst(me);for (;fOk;fOk thModules.ModuleNext(me)){if (_tcscmp(me.szExePath, pszModulePath) 0){AddText(hwnd, TEXT( %08X %p %s\r\n),pe.th32ProcessID, me.modBaseAddr, pe.szExeFile);}}}
}void AddText(HWND hwnd, PCTSTR pszFormat, ...)
{va_list argList;va_start(argList, pszFormat);TCHAR sz[20 * 1024];Edit_GetText(hwnd, sz, _countof(sz));_vstprintf_s(_tcschr(sz, TEXT(\0)), _countof(sz) - _tcslen(sz),pszFormat, argList);Edit_SetText(hwnd, sz);va_end(argList);
}VOID ShowProcessInfo(HWND hwnd, DWORD dwProcessID) {SetWindowText(hwnd, TEXT()); // Clear the output boxCToolhelp th(TH32CS_SNAPALL, dwProcessID);// Show Process detailsPROCESSENTRY32 pe { sizeof(pe) };BOOL fOk th.ProcessFirst(pe);for (; fOk; fOk th.ProcessNext(pe)) {if (pe.th32ProcessID dwProcessID) {TCHAR szCmdLine[1024];if (GetProcessCmdLine(dwProcessID, szCmdLine, _countof(szCmdLine))) {AddText(hwnd,TEXT(Command line: %s %s\r\n), pe.szExeFile, szCmdLine);}else {AddText(hwnd, TEXT(Filename: %s\r\n), pe.szExeFile);}AddText(hwnd, TEXT( PID%08X, ParentPID%08X, )TEXT(PriorityClass%d, Threads%d, Heaps%d\r\n),pe.th32ProcessID, pe.th32ParentProcessID,pe.pcPriClassBase, pe.cntThreads,th.HowManyHeaps());TCHAR szOwner[MAX_PATH 1];if (GetProcessOwner(dwProcessID, szOwner, MAX_PATH)) {AddText(hwnd, TEXT(Owner: %s\r\n), szOwner);}break; // No need to continue looping}}// Show Modules in the Process// Number of characters to display an addressAddText(hwnd, TEXT(\r\nModules Information:\r\n)TEXT( Usage %-*s(%-*s) %10s Module\r\n),s_cchAddress, TEXT(BaseAddr),s_cchAddress, TEXT(ImagAddr), TEXT(Size));MODULEENTRY32 me { sizeof(me) };fOk th.ModuleFirst(me);for (; fOk; fOk th.ModuleNext(me)) {if (me.ProccntUsage 65535) {// Module was implicitly loaded and cannot be unloadedAddText(hwnd, TEXT( Fixed));}else {AddText(hwnd, TEXT( %5d), me.ProccntUsage);}// Try to format the size in kb.TCHAR szFormattedSize[64];if (StrFormatKBSize(me.modBaseSize, szFormattedSize,_countof(szFormattedSize)) NULL){StringCchPrintf(szFormattedSize, _countof(szFormattedSize),TEXT(%10u), me.modBaseSize);}PVOID pvPreferredBaseAddr GetModulePreferredBaseAddr(pe.th32ProcessID, me.modBaseAddr);if (me.modBaseAddr pvPreferredBaseAddr) {AddText(hwnd, TEXT( %p %*s %10s %s\r\n),me.modBaseAddr, s_cchAddress, TEXT(),szFormattedSize, me.szExePath);}else {AddText(hwnd, TEXT( %p(%p) %10s %s\r\n),me.modBaseAddr, pvPreferredBaseAddr,szFormattedSize, me.szExePath);}}// Show threads in the processAddText(hwnd, TEXT(\r\nThread Information:\r\n)TEXT( TID Priority\r\n));THREADENTRY32 te { sizeof(te) };fOk th.ThreadFirst(te);for (; fOk; fOk th.ThreadNext(te)) {if (te.th32OwnerProcessID dwProcessID) {int nPriority te.tpBasePri te.tpDeltaPri;if ((te.tpBasePri 16) (nPriority 15)) nPriority 15;if ((te.tpBasePri 15) (nPriority 31)) nPriority 31;if ((te.tpBasePri 16) (nPriority 1)) nPriority 1;if ((te.tpBasePri 15) (nPriority 16)) nPriority 16;AddText(hwnd, TEXT( %08X %2d\r\n),te.th32ThreadID, nPriority);}}
}BOOL GetProcessCmdLine(HANDLE hProcess, LPTSTR szCmdLine, DWORD Size) {// Sanity checksif ((hProcess NULL) || (szCmdLine NULL) || (Size 0))return(FALSE);// 0. Get the Process Environment Block addressint iReturn 1;DWORD dwSize;SIZE_T size;PROCESS_BASIC_INFORMATION pbi;// The PEB was supposed to always be at address 0x7ffdf000 in XP...// ... but, here is the right way to get it now in Vista.iReturn _NtQueryInformationProcess(hProcess, ProcessBasicInformation, pbi, sizeof(pbi), dwSize);// NtQueryInformationProcess returns a negative value if it failsif (iReturn 0) {// 1. Find the Process Environment Block__PEB PEB;size dwSize;if (!ReadProcessMemory(hProcess, pbi.PebBaseAddress, PEB,sizeof(PEB), size)) {// Call GetLastError() if you need to know whyreturn(FALSE);}// 2. From this PEB, get the address of the block containing // a pointer to the CmdLine__INFOBLOCK Block;if (!ReadProcessMemory(hProcess, (LPVOID)PEB.InfoBlockAddress,Block, sizeof(Block), size)) {// Call GetLastError() if you need to know whyreturn(FALSE);}// 3. Get the CmdLinewchar_t wszCmdLine[MAX_PATH 1];if (!ReadProcessMemory(hProcess, (LPVOID)Block.wszCmdLineAddress,wszCmdLine, MAX_PATH * sizeof(wchar_t), size)) {// Call GetLastError() if you need to know whyreturn(FALSE);}// 4. Skip the application pathname// it can be empty, c:\...\app.exe or c:\...\app.exewchar_t* pPos wszCmdLine;if (*pPos ! L\0) {if (*pPos L) {// Find the next characterpPos wcschr(pPos[1], L);}else {// Find the next SPACE characterpPos wcschr(pPos[1], L );}// Skip itif (pPos ! NULL)pPos;}// Copy it backif (pPos ! NULL) {if (*pPos ! L\0) {
#ifdef UNICODE// Both strings are in UNICODE._tcscpy_s(szCmdLine, Size, pPos);
#else// from UNICODE to ANSIMultiByteToWideChar(CP_ACP, 0, szCmdLine, Size,pPos, wcslen(pPos));
#endif}elseszCmdLine[0] TEXT(\0);}elseszCmdLine[0] TEXT(\0);}else {return(FALSE);}return(TRUE);
}BOOL GetProcessCmdLine(DWORD PID, LPTSTR szCmdLine, DWORD Size) {// Sanity checksif ((PID 0) || (szCmdLine NULL))return(FALSE);// Check if we can get information for this processHANDLE hProcess OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, PID);if (hProcess NULL)return(FALSE);BOOL bReturn GetProcessCmdLine(hProcess, szCmdLine, Size);// Dont forget to release the process handleCloseHandle(hProcess);return(bReturn);
}VOID FormatSizeInKB(DWORD dwSize, DWORD nCharacters,LPTSTR szSize, size_t cchSize) {TCHAR szFormattedSize[64];if (StrFormatKBSize(dwSize, szFormattedSize,_countof(szFormattedSize)) NULL) {StringCchPrintf(szFormattedSize, _countof(szFormattedSize), TEXT(%8u), dwSize);}// Format to the right nCharacter width if needed.if (_tcslen(szFormattedSize) nCharacters) {DWORD current 0;for (current 0;current (nCharacters - _tcslen(szFormattedSize));current) {szSize[current] TEXT( );}szSize[current] TEXT(\0);_tcscat_s(szSize, cchSize - current, szFormattedSize);}
}VOID Dlg_PopulateProcessList(HWND hwnd) {HWND hwndList GetDlgItem(hwnd, IDC_PROCESSMODULELIST);SetWindowRedraw(hwndList, FALSE);ComboBox_ResetContent(hwndList);CToolhelp thProcesses(TH32CS_SNAPPROCESS);PROCESSENTRY32 pe { sizeof(pe) };BOOL fOk thProcesses.ProcessFirst(pe);for (; fOk; fOk thProcesses.ProcessNext(pe)) {TCHAR sz[1024];// Place the process name (without its path) ID in the listPCTSTR pszExeFile _tcsrchr(pe.szExeFile, TEXT(\\));if (pszExeFile NULL) {pszExeFile pe.szExeFile;}else {pszExeFile; // Skip over the slash}// Append the code/resource integrity level and policyDWORD dwCodeIntegrityLevel 0;DWORD dwCodePolicy TOKEN_MANDATORY_POLICY_OFF;DWORD dwResourcePolicy 0;DWORD dwResourceIntegrityLevel 0;TCHAR szCodeDetails[256];szCodeDetails[0] TEXT(\0);TCHAR szResourceDetails[256];szResourceDetails[0] TEXT(\0);if (GetProcessIntegrityLevel(pe.th32ProcessID, dwCodeIntegrityLevel,dwCodePolicy, dwResourceIntegrityLevel, dwResourcePolicy)) {switch (dwCodeIntegrityLevel) {case SECURITY_MANDATORY_LOW_RID:_tcscpy_s(szCodeDetails, _countof(szCodeDetails),TEXT(- Low ));break;case SECURITY_MANDATORY_MEDIUM_RID:_tcscpy_s(szCodeDetails, _countof(szCodeDetails),TEXT(- Medium ));break;case SECURITY_MANDATORY_HIGH_RID:_tcscpy_s(szCodeDetails, _countof(szCodeDetails),TEXT(- High ));break;case SECURITY_MANDATORY_SYSTEM_RID:_tcscpy_s(szCodeDetails, _countof(szCodeDetails),TEXT(- System ));break;default:_tcscpy_s(szCodeDetails, _countof(szCodeDetails),TEXT(- ??? ));}if (dwCodePolicy TOKEN_MANDATORY_POLICY_OFF) { // 0_tcscat_s(szCodeDetails,_countof(szCodeDetails), TEXT( no policy));}else {if ((dwCodePolicy TOKEN_MANDATORY_POLICY_VALID_MASK) 0) {_tcscat_s(szCodeDetails, _countof(szCodeDetails),TEXT( ???));}else {if ((dwCodePolicy TOKEN_MANDATORY_POLICY_NO_WRITE_UP) TOKEN_MANDATORY_POLICY_NO_WRITE_UP) {_tcscat_s(szCodeDetails, _countof(szCodeDetails),TEXT( no write-up));}if ((dwCodePolicy TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN) TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN) {_tcscat_s(szCodeDetails, _countof(szCodeDetails),TEXT( new process min));}}}switch (dwResourceIntegrityLevel) {case SECURITY_MANDATORY_LOW_RID:_tcscpy_s(szResourceDetails,_countof(szResourceDetails), TEXT(Low));break;case SECURITY_MANDATORY_MEDIUM_RID:_tcscpy_s(szResourceDetails,_countof(szResourceDetails), TEXT(Medium));break;case SECURITY_MANDATORY_HIGH_RID:_tcscpy_s(szResourceDetails,_countof(szResourceDetails), TEXT(High));break;case SECURITY_MANDATORY_SYSTEM_RID:_tcscpy_s(szResourceDetails,_countof(szResourceDetails), TEXT(System));break;case 0:_tcscpy_s(szResourceDetails,_countof(szResourceDetails), TEXT(Not set));break;default:_tcscpy_s(szResourceDetails,_countof(szResourceDetails), TEXT(???));}if (dwResourcePolicy 0) { // 0_tcscat_s(szResourceDetails,_countof(szResourceDetails), TEXT( 0 policy));}else {if ((dwResourcePolicy TOKEN_MANDATORY_POLICY_VALID_MASK) 0) {_tcscat_s(szResourceDetails,_countof(szResourceDetails), TEXT( ???));}else {if ((dwResourcePolicy SYSTEM_MANDATORY_LABEL_NO_WRITE_UP) SYSTEM_MANDATORY_LABEL_NO_WRITE_UP) {_tcscat_s(szResourceDetails,_countof(szResourceDetails),TEXT( no write-up));}if ((dwResourcePolicy SYSTEM_MANDATORY_LABEL_NO_READ_UP) SYSTEM_MANDATORY_LABEL_NO_READ_UP) {_tcscat_s(szResourceDetails,_countof(szResourceDetails),TEXT( no read-up));}if ((dwResourcePolicy SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP) SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP) {_tcscat_s(szResourceDetails,_countof(szResourceDetails),TEXT( no execute-up));}}}}StringCchPrintf(sz, _countof(sz), TEXT(%s (0x%08X) %s [%s]),pszExeFile, pe.th32ProcessID, szCodeDetails, szResourceDetails);int n ComboBox_AddString(hwndList, sz);// Associate the process ID with the added itemComboBox_SetItemData(hwndList, n, pe.th32ProcessID);}ComboBox_SetCurSel(hwndList, 0); // Select the first entry// Simulate the user selecting this first item so that the// results pane shows something interestingFORWARD_WM_COMMAND(hwnd, IDC_PROCESSMODULELIST,hwndList, CBN_SELCHANGE, SendMessage);SetWindowRedraw(hwndList, TRUE);InvalidateRect(hwndList, NULL, FALSE);
}///VOID Dlg_PopulateModuleList(HWND hwnd) {HWND hwndModuleHelp GetDlgItem(hwnd, IDC_MODULEHELP);ListBox_ResetContent(hwndModuleHelp);CToolhelp thProcesses(TH32CS_SNAPPROCESS);PROCESSENTRY32 pe { sizeof(pe) };BOOL fOk thProcesses.ProcessFirst(pe);for (; fOk; fOk thProcesses.ProcessNext(pe)) {CToolhelp thModules(TH32CS_SNAPMODULE, pe.th32ProcessID);MODULEENTRY32 me { sizeof(me) };BOOL fOk thModules.ModuleFirst(me);for (; fOk; fOk thModules.ModuleNext(me)) {int n ListBox_FindStringExact(hwndModuleHelp, -1, me.szExePath);if (n LB_ERR) {// This module hasnt been added beforeListBox_AddString(hwndModuleHelp, me.szExePath);}}}HWND hwndList GetDlgItem(hwnd, IDC_PROCESSMODULELIST);SetWindowRedraw(hwndList, FALSE);ComboBox_ResetContent(hwndList);int nNumModules ListBox_GetCount(hwndModuleHelp);for (int i 0; i nNumModules; i) {TCHAR sz[1024];ListBox_GetText(hwndModuleHelp, i, sz);// Place module name (without its path) in the listint nIndex ComboBox_AddString(hwndList, _tcsrchr(sz, TEXT(\\)) 1);// Associate the index of the full path with the added itemComboBox_SetItemData(hwndList, nIndex, i);}ComboBox_SetCurSel(hwndList, 0); // Select the first entry// Simulate the user selecting this first item so that the// results pane shows something interestingFORWARD_WM_COMMAND(hwnd, IDC_PROCESSMODULELIST,hwndList, CBN_SELCHANGE, SendMessage);SetWindowRedraw(hwndList, TRUE);InvalidateRect(hwndList, NULL, FALSE);
}BOOL GetProcessIntegrityLevel(HANDLE hProcess, PDWORD pIntegrityLevel,PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy) {HANDLE hToken NULL;if (!OpenProcessToken(hProcess, TOKEN_READ, hToken)) {return(FALSE);}BOOL bReturn FALSE;// First, compute the size of the buffer to get the Integrity levelDWORD dwNeededSize 0;if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, dwNeededSize)) {PTOKEN_MANDATORY_LABEL pTokenInfo NULL;if (GetLastError() ERROR_INSUFFICIENT_BUFFER) {// Second, allocate a memory block with the the required size pTokenInfo (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, dwNeededSize);if (pTokenInfo ! NULL) {// And finally, ask for the integrity levelif (GetTokenInformation(hToken, TokenIntegrityLevel, pTokenInfo,dwNeededSize, dwNeededSize)) {*pIntegrityLevel *GetSidSubAuthority(pTokenInfo-Label.Sid,(*GetSidSubAuthorityCount(pTokenInfo-Label.Sid) - 1));bReturn TRUE;}// Dont forget to free the memoryLocalFree(pTokenInfo);}}}// Try to get the policy if the integrity level was availableif (bReturn) {*pPolicy TOKEN_MANDATORY_POLICY_OFF;dwNeededSize sizeof(DWORD);GetTokenInformation(hToken, TokenMandatoryPolicy, pPolicy,dwNeededSize, dwNeededSize);}// Look for the resource policy*pResourceIntegrityLevel 0; // 0 means none explicitely set*pResourcePolicy 0;PACL pSACL NULL;PSECURITY_DESCRIPTOR pSD NULL;DWORD dwResult ERROR_SUCCESS;// Look for the no-read-up/no-write-up policy in the SACLif (hToken ! NULL) {dwResult GetSecurityInfo(hProcess, SE_KERNEL_OBJECT,LABEL_SECURITY_INFORMATION,NULL, NULL, NULL,pSACL, pSD);if (dwResult ERROR_SUCCESS) {if (pSACL ! NULL) {SYSTEM_MANDATORY_LABEL_ACE* pACE NULL;if ((pSACL-AceCount 0) (GetAce(pSACL, 0, (PVOID*)pACE))) {if (pACE ! NULL) {SID* pSID (SID*)(pACE-SidStart);*pResourceIntegrityLevel pSID-SubAuthority[0];*pResourcePolicy pACE-Mask;}}}}// Cleanup memory allocated on our behalfif (pSD ! NULL) LocalFree(pSD);}// Dont forget to close the token handle.CloseHandle(hToken);return(bReturn);
}BOOL GetProcessIntegrityLevel(DWORD PID, PDWORD pIntegrityLevel,PDWORD pPolicy, PDWORD pResourceIntegrityLevel, PDWORD pResourcePolicy) {// Sanity checksif ((PID 0) || (pIntegrityLevel NULL))return(FALSE);// Check if we can get information for this processHANDLE hProcess OpenProcess(READ_CONTROL | PROCESS_QUERY_INFORMATION,FALSE, PID);if (hProcess NULL)return(FALSE);BOOL bReturn GetProcessIntegrityLevel(hProcess, pIntegrityLevel,pPolicy, pResourceIntegrityLevel, pResourcePolicy);// Dont forget to release the process handleCloseHandle(hProcess);return(bReturn);
}PVOID GetModulePreferredBaseAddr(DWORD dwProcessId, PVOID pvModuleRemote) {PVOID pvModulePreferredBaseAddr NULL;IMAGE_DOS_HEADER idh;IMAGE_NT_HEADERS inth;// Read the remote modules DOS headerToolhelp32ReadProcessMemory(dwProcessId,pvModuleRemote, idh, sizeof(idh), NULL);// Verify the DOS image headerif (idh.e_magic IMAGE_DOS_SIGNATURE) {// Read the remote modules NT headerToolhelp32ReadProcessMemory(dwProcessId,(PBYTE)pvModuleRemote idh.e_lfanew, inth, sizeof(inth), NULL);// Verify the NT image headerif (inth.Signature IMAGE_NT_SIGNATURE) {// This is valid NT header, get the images preferred base addresspvModulePreferredBaseAddr (PVOID)inth.OptionalHeader.ImageBase;}}return(pvModulePreferredBaseAddr);
}
