| 1 | + | using System; |
| 2 | + | using System.Collections.Generic; |
| 3 | + | using System.Diagnostics; |
| 4 | + | using System.Linq; |
| 5 | + | using System.Runtime.InteropServices; |
| 6 | + | using System.Security.Principal; |
| 7 | + | using System.Text; |
| 8 | + | using System.Threading.Tasks; |
| 9 | + | |
| 10 | + | namespace winPEAS.Helpers |
| 11 | + | { |
| 12 | + | internal class HandlesHelper |
| 13 | + | { |
| 14 | + | private const int CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION = 64; |
| 15 | + | public const uint STATUS_INFO_LENGTH_MISMATCH = 0xC0000004; |
| 16 | + | public const int DUPLICATE_SAME_ACCESS = 0x2; |
| 17 | + | |
| 18 | + | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] |
| 19 | + | public struct FILE_NAME_INFO |
| 20 | + | { |
| 21 | + | public int FileNameLength; |
| 22 | + | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 1000)] |
| 23 | + | public string FileName; |
| 24 | + | } |
| 25 | + | |
| 26 | + | [StructLayout(LayoutKind.Sequential)] |
| 27 | + | public struct THREAD_BASIC_INFORMATION |
| 28 | + | { |
| 29 | + | public uint ExitStatus; |
| 30 | + | public IntPtr TebBaseAdress; |
| 31 | + | public CLIENT_ID ClientId; |
| 32 | + | public uint AffinityMask; |
| 33 | + | public uint Priority; |
| 34 | + | public uint BasePriority; |
| 35 | + | } |
| 36 | + | |
| 37 | + | [StructLayout(LayoutKind.Sequential)] |
| 38 | + | public struct CLIENT_ID |
| 39 | + | { |
| 40 | + | public int UniqueProcess; |
| 41 | + | public int UniqueThread; |
| 42 | + | } |
| 43 | + | |
| 44 | + | [StructLayout(LayoutKind.Sequential)] |
| 45 | + | public struct PROCESS_BASIC_INFORMATION |
| 46 | + | { |
| 47 | + | public int ExitStatus; |
| 48 | + | public IntPtr PebBaseAddress; |
| 49 | + | public IntPtr AffinityMask; |
| 50 | + | public int BasePriority; |
| 51 | + | public IntPtr UniqueProcessId; |
| 52 | + | public IntPtr InheritedFromUniqueProcessId; |
| 53 | + | } |
| 54 | + | |
| 55 | + | [StructLayout(LayoutKind.Sequential)] |
| 56 | + | public struct SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX |
| 57 | + | { |
| 58 | + | public IntPtr Object; |
| 59 | + | public UIntPtr UniqueProcessId; |
| 60 | + | public IntPtr HandleValue; |
| 61 | + | public uint GrantedAccess; |
| 62 | + | public ushort CreatorBackTraceIndex; |
| 63 | + | public ushort ObjectTypeIndex; |
| 64 | + | public uint HandleAttributes; |
| 65 | + | public uint Reserved; |
| 66 | + | } |
| 67 | + | |
| 68 | + | [Flags] |
| 69 | + | public enum ProcessAccessFlags : uint |
| 70 | + | { |
| 71 | + | All = 0x001F0FFF, |
| 72 | + | Terminate = 0x00000001, |
| 73 | + | CreateThread = 0x00000002, |
| 74 | + | VMOperation = 0x00000008, |
| 75 | + | VMRead = 0x00000010, |
| 76 | + | VMWrite = 0x00000020, |
| 77 | + | DupHandle = 0x00000040, |
| 78 | + | SetInformation = 0x00000200, |
| 79 | + | QueryInformation = 0x00000400, |
| 80 | + | QueryLimitedInformation = 0x1000, |
| 81 | + | Synchronize = 0x00100000 |
| 82 | + | } |
| 83 | + | |
| 84 | + | [StructLayout(LayoutKind.Sequential)] |
| 85 | + | public struct OBJECT_BASIC_INFORMATION |
| 86 | + | { // Information Class 0 |
| 87 | + | public int Attributes; |
| 88 | + | public int GrantedAccess; |
| 89 | + | public int HandleCount; |
| 90 | + | public int PointerCount; |
| 91 | + | public int PagedPoolUsage; |
| 92 | + | public int NonPagedPoolUsage; |
| 93 | + | public int Reserved1; |
| 94 | + | public int Reserved2; |
| 95 | + | public int Reserved3; |
| 96 | + | public int NameInformationLength; |
| 97 | + | public int TypeInformationLength; |
| 98 | + | public int SecurityDescriptorLength; |
| 99 | + | public System.Runtime.InteropServices.ComTypes.FILETIME CreateTime; |
| 100 | + | } |
| 101 | + | |
| 102 | + | [StructLayout(LayoutKind.Sequential)] |
| 103 | + | public struct UNICODE_STRING |
| 104 | + | { |
| 105 | + | public ushort Length; |
| 106 | + | public ushort MaximumLength; |
| 107 | + | public IntPtr Buffer; |
| 108 | + | } |
| 109 | + | |
| 110 | + | |
| 111 | + | [StructLayout(LayoutKind.Sequential)] |
| 112 | + | public struct OBJECT_NAME_INFORMATION |
| 113 | + | { // Information Class 1 |
| 114 | + | public UNICODE_STRING Name; |
| 115 | + | } |
| 116 | + | |
| 117 | + | [StructLayout(LayoutKind.Sequential)] |
| 118 | + | public struct OBJECT_TYPE_INFORMATION |
| 119 | + | { // Information Class 1 |
| 120 | + | public UNICODE_STRING Name; |
| 121 | + | public ulong TotalNumberOfObjects; |
| 122 | + | public ulong TotalNumberOfHandles; |
| 123 | + | } |
| 124 | + | |
| 125 | + | public enum ObjectInformationClass : int |
| 126 | + | { |
| 127 | + | ObjectBasicInformation = 0, |
| 128 | + | ObjectNameInformation = 1, |
| 129 | + | ObjectTypeInformation = 2, |
| 130 | + | ObjectAllTypesInformation = 3, |
| 131 | + | ObjectHandleInformation = 4 |
| 132 | + | } |
| 133 | + | |
| 134 | + | public struct VULNERABLE_HANDLER_INFO |
| 135 | + | { |
| 136 | + | public string handlerType; |
| 137 | + | public bool isVuln; |
| 138 | + | public string reason; |
| 139 | + | } |
| 140 | + | |
| 141 | + | public struct PT_RELEVANT_INFO |
| 142 | + | { |
| 143 | + | public int pid; |
| 144 | + | public string name; |
| 145 | + | public string imagePath; |
| 146 | + | public string userName; |
| 147 | + | public string userSid; |
| 148 | + | } |
| 149 | + | |
| 150 | + | public struct KEY_RELEVANT_INFO |
| 151 | + | { |
| 152 | + | public string hive; |
| 153 | + | public string path; |
| 154 | + | } |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | // Check if the given handler is exploitable |
| 166 | + | public static VULNERABLE_HANDLER_INFO checkExploitaible(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX h, string typeName) |
| 167 | + | { |
| 168 | + | VULNERABLE_HANDLER_INFO vulnHandler = new VULNERABLE_HANDLER_INFO(); |
| 169 | + | vulnHandler.handlerType = typeName; |
| 170 | + | |
| 171 | + | if (typeName == "process") |
| 172 | + | { |
| 173 | + | // Hex perms from https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights and https://github.com/buffer/maltracer/blob/master/defines.py |
| 174 | + | |
| 175 | + | //PROCESS_ALL_ACCESS |
| 176 | + | if ((h.GrantedAccess & 0x001F0FFF) == h.GrantedAccess) |
| 177 | + | { |
| 178 | + | vulnHandler.isVuln = true; |
| 179 | + | vulnHandler.reason = "PROCESS_ALL_ACCESS"; |
| 180 | + | } |
| 181 | + | |
| 182 | + | //PROCESS_CREATE_PROCESS |
| 183 | + | else if ((h.GrantedAccess & 0x0080) == h.GrantedAccess) |
| 184 | + | { |
| 185 | + | vulnHandler.isVuln = true; |
| 186 | + | vulnHandler.reason = "PROCESS_CREATE_PROCESS"; |
| 187 | + | } |
| 188 | + | |
| 189 | + | //PROCESS_CREATE_THREAD |
| 190 | + | else if ((h.GrantedAccess & 0x0002) == h.GrantedAccess) |
| 191 | + | { |
| 192 | + | vulnHandler.isVuln = true; |
| 193 | + | vulnHandler.reason = "PROCESS_CREATE_THREAD"; |
| 194 | + | } |
| 195 | + | |
| 196 | + | //PROCESS_DUP_HANDLE |
| 197 | + | else if ((h.GrantedAccess & 0x0040) == h.GrantedAccess) |
| 198 | + | { |
| 199 | + | vulnHandler.isVuln = true; |
| 200 | + | vulnHandler.reason = "PROCESS_DUP_HANDLE"; |
| 201 | + | } |
| 202 | + | |
| 203 | + | //PROCESS_VM_WRITE |
| 204 | + | else if ((h.GrantedAccess & 0x0020) == h.GrantedAccess) |
| 205 | + | { |
| 206 | + | vulnHandler.isVuln = true; |
| 207 | + | vulnHandler.reason = "PROCESS_VM_WRITE"; |
| 208 | + | |
| 209 | + | if ((h.GrantedAccess & 0x0010) == h.GrantedAccess) |
| 210 | + | vulnHandler.reason += "& PROCESS_VM_READ"; |
| 211 | + | |
| 212 | + | if ((h.GrantedAccess & 0x0008) == h.GrantedAccess) |
| 213 | + | vulnHandler.reason += "& PROCESS_VM_OPERATION"; |
| 214 | + | } |
| 215 | + | } |
| 216 | + | |
| 217 | + | else if (typeName == "thread") |
| 218 | + | { |
| 219 | + | // Codes from https://docs.microsoft.com/en-us/windows/win32/procthread/thread-security-and-access-rights and https://github.com/x0r19x91/code-injection/blob/master/inject.asm |
| 220 | + | |
| 221 | + | //THREAD_ALL_ACCESS |
| 222 | + | if ((h.GrantedAccess & 0x1f03ff) == h.GrantedAccess) |
| 223 | + | { |
| 224 | + | vulnHandler.isVuln = true; |
| 225 | + | vulnHandler.reason = "THREAD_ALL_ACCESS"; |
| 226 | + | } |
| 227 | + | |
| 228 | + | //THREAD_DIRECT_IMPERSONATION |
| 229 | + | else if ((h.GrantedAccess & 0x0200) == h.GrantedAccess) |
| 230 | + | { |
| 231 | + | vulnHandler.isVuln = true; |
| 232 | + | vulnHandler.reason = "THREAD_DIRECT_IMPERSONATION"; |
| 233 | + | } |
| 234 | + | |
| 235 | + | //THREAD_GET_CONTEXT & THREAD_SET_CONTEXT |
| 236 | + | else if (((h.GrantedAccess & 0x0008) == h.GrantedAccess) && ((h.GrantedAccess & 0x0010) == h.GrantedAccess)) |
| 237 | + | { |
| 238 | + | vulnHandler.isVuln = true; |
| 239 | + | vulnHandler.reason = "THREAD_GET_CONTEXT & THREAD_SET_CONTEXT"; |
| 240 | + | } |
| 241 | + | } |
| 242 | + | |
| 243 | + | else if (typeName == "file") |
| 244 | + | { |
| 245 | + | |
| 246 | + | string perm = PermissionsHelper.PermInt2Str((int)h.GrantedAccess, PermissionType.WRITEABLE_OR_EQUIVALENT); |
| 247 | + | if (perm != null && perm.Length> 0) |
| 248 | + | { |
| 249 | + | vulnHandler.isVuln = true; |
| 250 | + | vulnHandler.reason = perm; |
| 251 | + | } |
| 252 | + | } |
| 253 | + | |
| 254 | + | else if (typeName == "key") |
| 255 | + | { |
| 256 | + | string perm = PermissionsHelper.PermInt2Str((int)h.GrantedAccess, PermissionType.WRITEABLE_OR_EQUIVALENT_REG); |
| 257 | + | if (perm != null && perm.Length > 0) |
| 258 | + | { |
| 259 | + | vulnHandler.isVuln = true; |
| 260 | + | vulnHandler.reason = perm; |
| 261 | + | } |
| 262 | + | } |
| 263 | + | |
| 264 | + | else if (typeName == "section") |
| 265 | + | { |
| 266 | + | // Perms from |
| 267 | + | // https://docs.microsoft.com/en-us/windows/win32/secauthz/standard-access-rights |
| 268 | + | // https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format |
| 269 | + | // https://github.com/lab52io/LeakedHandlesFinder/blob/master/LeakedHandlesFinder/LeakedHandlesFinder.cpp |
| 270 | + | |
| 271 | + | |
| 272 | + | //MAP_WRITE |
| 273 | + | if ((h.GrantedAccess & 0x2) == h.GrantedAccess) |
| 274 | + | { |
| 275 | + | vulnHandler.isVuln = true; |
| 276 | + | vulnHandler.reason = "MAP_WRITE (Research Needed)"; |
| 277 | + | } |
| 278 | + | //DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER = STANDARD_RIGHTS_ALL |
| 279 | + | else if ((h.GrantedAccess & 0xf0000) == h.GrantedAccess) |
| 280 | + | { |
| 281 | + | vulnHandler.isVuln = true; |
| 282 | + | vulnHandler.reason = "STANDARD_RIGHTS_ALL (Research Needed)"; |
| 283 | + | } |
| 284 | + | } |
| 285 | + | |
| 286 | + | return vulnHandler; |
| 287 | + | } |
| 288 | + | |
| 289 | + | // Given a found handler get what type is it. |
| 290 | + | public static string GetObjectType(IntPtr handle) |
| 291 | + | { |
| 292 | + | OBJECT_TYPE_INFORMATION basicType = new OBJECT_TYPE_INFORMATION(); |
| 293 | + | |
| 294 | + | try |
| 295 | + | { |
| 296 | + | IntPtr _basic = IntPtr.Zero; |
| 297 | + | string name; |
| 298 | + | int nameLength = 0; |
| 299 | + | |
| 300 | + | try |
| 301 | + | { |
| 302 | + | _basic = Marshal.AllocHGlobal(0x1000); |
| 303 | + | |
| 304 | + | Native.Ntdll.NtQueryObject(handle, (int)ObjectInformationClass.ObjectTypeInformation, _basic, 0x1000, ref nameLength); |
| 305 | + | basicType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(_basic, basicType.GetType()); |
| 306 | + | name = Marshal.PtrToStringUni(basicType.Name.Buffer, basicType.Name.Length >> 1); |
| 307 | + | return name; |
| 308 | + | } |
| 309 | + | finally |
| 310 | + | { |
| 311 | + | if (_basic != IntPtr.Zero) |
| 312 | + | Marshal.FreeHGlobal(_basic); |
| 313 | + | } |
| 314 | + | } |
| 315 | + | catch { } |
| 316 | + | |
| 317 | + | return null; |
| 318 | + | } |
| 319 | + | |
| 320 | + | // Get the name of the handler (if any) |
| 321 | + | public static string GetObjectName(IntPtr handle) |
| 322 | + | { |
| 323 | + | OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION(); |
| 324 | + | try |
| 325 | + | { |
| 326 | + | |
| 327 | + | IntPtr _basic = IntPtr.Zero; |
| 328 | + | int nameLength = 0; |
| 329 | + | |
| 330 | + | try |
| 331 | + | { |
| 332 | + | _basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo)); |
| 333 | + | |
| 334 | + | Native.Ntdll.NtQueryObject(handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength); |
| 335 | + | basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType()); |
| 336 | + | nameLength = basicInfo.NameInformationLength; |
| 337 | + | } |
| 338 | + | finally |
| 339 | + | { |
| 340 | + | if (_basic != IntPtr.Zero) |
| 341 | + | Marshal.FreeHGlobal(_basic); |
| 342 | + | } |
| 343 | + | |
| 344 | + | if (nameLength == 0) |
| 345 | + | { |
| 346 | + | return null; |
| 347 | + | } |
| 348 | + | |
| 349 | + | OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION(); |
| 350 | + | IntPtr _objectName = Marshal.AllocHGlobal(nameLength); |
| 351 | + | |
| 352 | + | try |
| 353 | + | { |
| 354 | + | while ((uint)(Native.Ntdll.NtQueryObject(handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength)) == STATUS_INFO_LENGTH_MISMATCH) |
| 355 | + | { |
| 356 | + | Marshal.FreeHGlobal(_objectName); |
| 357 | + | _objectName = Marshal.AllocHGlobal(nameLength); |
| 358 | + | } |
| 359 | + | nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType()); |
| 360 | + | } |
| 361 | + | finally |
| 362 | + | { |
| 363 | + | Marshal.FreeHGlobal(_objectName); |
| 364 | + | } |
| 365 | + | |
| 366 | + | try |
| 367 | + | { |
| 368 | + | if (nameInfo.Name.Length > 0) |
| 369 | + | return Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1); |
| 370 | + | } |
| 371 | + | catch |
| 372 | + | { |
| 373 | + | |
| 374 | + | } |
| 375 | + | |
| 376 | + | return null; |
| 377 | + | } |
| 378 | + | catch { return null; } |
| 379 | + | } |
| 380 | + | |
| 381 | + | // Get all handlers inside the system |
| 382 | + | public static List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> GetAllHandlers() |
| 383 | + | { |
| 384 | + | bool is_64 = Marshal.SizeOf(typeof(IntPtr)) == 8 ? true : false; |
| 385 | + | int infoLength = 0x10000; |
| 386 | + | int length = 0; |
| 387 | + | IntPtr _info = Marshal.AllocHGlobal(infoLength); |
| 388 | + | IntPtr _handle = IntPtr.Zero; |
| 389 | + | long handleCount = 0; |
| 390 | + | |
| 391 | + | |
| 392 | + | // Try to find the size |
| 393 | + | while ((Native.Ntdll.NtQuerySystemInformation(CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION, _info, infoLength, ref length)) == STATUS_INFO_LENGTH_MISMATCH) |
| 394 | + | { |
| 395 | + | infoLength = length; |
| 396 | + | Marshal.FreeHGlobal(_info); |
| 397 | + | _info = Marshal.AllocHGlobal(infoLength); |
| 398 | + | } |
| 399 | + | |
| 400 | + | |
| 401 | + | if (is_64) |
| 402 | + | { |
| 403 | + | handleCount = Marshal.ReadInt64(_info); |
| 404 | + | _handle = new IntPtr(_info.ToInt64() + 16); |
| 405 | + | } |
| 406 | + | else |
| 407 | + | { |
| 408 | + | handleCount = Marshal.ReadInt32(_info); |
| 409 | + | _handle = new IntPtr(_info.ToInt32() + 8); |
| 410 | + | } |
| 411 | + | |
| 412 | + | SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleInfo = new SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(); |
| 413 | + | List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handles = new List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX>(); |
| 414 | + | |
| 415 | + | int infoSize = Marshal.SizeOf(handleInfo); |
| 416 | + | Type infoType = handleInfo.GetType(); |
| 417 | + | |
| 418 | + | |
| 419 | + | for (long i = 0; i < handleCount; i++) |
| 420 | + | { |
| 421 | + | if (is_64) |
| 422 | + | { |
| 423 | + | handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType); |
| 424 | + | _handle = new IntPtr(_handle.ToInt64() + infoSize); |
| 425 | + | } |
| 426 | + | else |
| 427 | + | { |
| 428 | + | handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType); |
| 429 | + | _handle = new IntPtr(_handle.ToInt32() + infoSize); |
| 430 | + | } |
| 431 | + | |
| 432 | + | handles.Add(handleInfo); |
| 433 | + | } |
| 434 | + | |
| 435 | + | return handles; |
| 436 | + | } |
| 437 | + | |
| 438 | + | // Get the owner of a process given the PID |
| 439 | + | public static Dictionary<string, string> GetProcU(Process p) |
| 440 | + | { |
| 441 | + | Dictionary<string, string> data = new Dictionary<string, string>(); |
| 442 | + | data["name"] = ""; |
| 443 | + | data["sid"] = ""; |
| 444 | + | IntPtr pHandle = IntPtr.Zero; |
| 445 | + | try |
| 446 | + | { |
| 447 | + | Native.Advapi32.OpenProcessToken(p.Handle, 8, out pHandle); |
| 448 | + | WindowsIdentity WI = new WindowsIdentity(pHandle); |
| 449 | + | string uSEr = WI.Name; |
| 450 | + | string sid = WI.User.Value; |
| 451 | + | data["name"] = uSEr.Contains(@"\") ? uSEr.Substring(uSEr.IndexOf(@"\") + 1) : uSEr; |
| 452 | + | data["sid"] = sid; |
| 453 | + | return data; |
| 454 | + | } |
| 455 | + | catch |
| 456 | + | { |
| 457 | + | return data; |
| 458 | + | } |
| 459 | + | finally |
| 460 | + | { |
| 461 | + | if (pHandle != IntPtr.Zero) |
| 462 | + | { |
| 463 | + | Native.Kernel32.CloseHandle(pHandle); |
| 464 | + | } |
| 465 | + | } |
| 466 | + | } |
| 467 | + | |
| 468 | + | // Get info of the process given the PID |
| 469 | + | public static PT_RELEVANT_INFO getProcInfoById(int pid) |
| 470 | + | { |
| 471 | + | PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO(); |
| 472 | + | |
| 473 | + | Process proc = Process.GetProcessById(pid); |
| 474 | + | Dictionary<string,string> user = GetProcU(proc); |
| 475 | + | |
| 476 | + | StringBuilder fileName = new StringBuilder(2000); |
| 477 | + | Native.Psapi.GetProcessImageFileName(proc.Handle, fileName, 2000); |
| 478 | + | |
| 479 | + | pri.pid = pid; |
| 480 | + | pri.name = proc.ProcessName; |
| 481 | + | pri.userName = user["name"]; |
| 482 | + | pri.userSid = user["sid"]; |
| 483 | + | pri.imagePath = fileName.ToString(); |
| 484 | + | |
| 485 | + | return pri; |
| 486 | + | } |
| 487 | + | |
| 488 | + | // Get information of a handler of type process |
| 489 | + | public static PT_RELEVANT_INFO getProcessHandlerInfo(IntPtr handle) |
| 490 | + | { |
| 491 | + | PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO(); |
| 492 | + | PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION(); |
| 493 | + | IntPtr[] pbi_arr = new IntPtr[6]; |
| 494 | + | int pid; |
| 495 | + | |
| 496 | + | |
| 497 | + | int retLength = 0; |
| 498 | + | |
| 499 | + | // Try to find the size |
| 500 | + | uint status = (uint)Native.Ntdll.NtQueryInformationProcess(handle, 0, pbi_arr, 48, ref retLength); |
| 501 | + | if (status == 0) |
| 502 | + | { |
| 503 | + | |
| 504 | + | //pbi.ExitStatus = (int)pbi_arr[0]; |
| 505 | + | //pbi.PebBaseAddress = pbi_arr[1]; |
| 506 | + | //pbi.AffinityMask = pbi_arr[2]; |
| 507 | + | //pbi.BasePriority = (int)pbi_arr[3]; |
| 508 | + | pbi.UniqueProcessId = pbi_arr[4]; |
| 509 | + | //pbi.InheritedFromUniqueProcessId = pbi_arr[5]; |
| 510 | + | pid = (int)pbi.UniqueProcessId; |
| 511 | + | } |
| 512 | + | else |
| 513 | + | { |
| 514 | + | pid = (int)Native.Kernel32.GetProcessId(handle); |
| 515 | + | } |
| 516 | + | |
| 517 | + | if (pid == 0) |
| 518 | + | return pri; |
| 519 | + | |
| 520 | + | return getProcInfoById(pid); |
| 521 | + | } |
| 522 | + | |
| 523 | + | // Get information of a handler of type thread |
| 524 | + | public static PT_RELEVANT_INFO getThreadHandlerInfo(IntPtr handle) |
| 525 | + | { |
| 526 | + | PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO(); |
| 527 | + | THREAD_BASIC_INFORMATION tbi = new THREAD_BASIC_INFORMATION(); |
| 528 | + | IntPtr[] tbi_arr = new IntPtr[6]; |
| 529 | + | int pid; |
| 530 | + | |
| 531 | + | |
| 532 | + | /* You could also get the PID using this method |
| 533 | + | int retLength = 0; |
| 534 | + | uint status = (uint)NtQueryInformationThread(handle, 0, tbi_arr, 48, ref retLength); |
| 535 | + | if (status != 0) |
| 536 | + | { |
| 537 | + | return pri; |
| 538 | + | } |
| 539 | + | |
| 540 | + | pid = (int)GetProcessIdOfThread(handle); |
| 541 | + | |
| 542 | + | CLIENT_ID ci = new CLIENT_ID(); |
| 543 | + | |
| 544 | + | tbi.ExitStatus = (uint)tbi_arr[0]; |
| 545 | + | tbi.TebBaseAdress = tbi_arr[1]; |
| 546 | + | tbi.ClientId = tbi_arr[2]; |
| 547 | + | tbi.AffinityMask = (uint)tbi_arr[3]; |
| 548 | + | tbi.Priority = (uint)tbi_arr[4]; |
| 549 | + | tbi.BasePriority = (uint)tbi_arr[5];*/ |
| 550 | + | |
| 551 | + | pid = (int)Native.Kernel32.GetProcessIdOfThread(handle); |
| 552 | + | if (pid == 0) |
| 553 | + | return pri; |
| 554 | + | |
| 555 | + | return getProcInfoById(pid); |
| 556 | + | } |
| 557 | + | |
| 558 | + | // Get information of a handler of type key |
| 559 | + | public static KEY_RELEVANT_INFO getKeyHandlerInfo(IntPtr handle) |
| 560 | + | { |
| 561 | + | KEY_RELEVANT_INFO kri = new KEY_RELEVANT_INFO(); |
| 562 | + | int retLength = 0; |
| 563 | + | |
| 564 | + | // Get KeyNameInformation (3) |
| 565 | + | uint status = (uint)Native.Ntdll.NtQueryKey(handle, 3, null, 0, ref retLength); |
| 566 | + | var keyInformation = new byte[retLength]; |
| 567 | + | status = (uint)Native.Ntdll.NtQueryKey(handle, 3, keyInformation, retLength, ref retLength); |
| 568 | + | |
| 569 | + | string path = Encoding.Unicode.GetString(keyInformation, 4, keyInformation.Length - 4).ToLower(); |
| 570 | + | string hive = ""; |
| 571 | + | |
| 572 | + | // https://groups.google.com/g/comp.os.ms-windows.programmer.win32/c/nCs-9zFRm6I |
| 573 | + | if (path.StartsWith(@"\registry\machine")) |
| 574 | + | { |
| 575 | + | path = path.Replace(@"\registry\machine", ""); |
| 576 | + | hive = "HKLM"; |
| 577 | + | } |
| 578 | + | |
| 579 | + | else if (path.StartsWith(@"\registry\user")) |
| 580 | + | { |
| 581 | + | path = path.Replace(@"\registry\user", ""); |
| 582 | + | hive = "HKU"; |
| 583 | + | } |
| 584 | + | |
| 585 | + | else |
| 586 | + | { // This shouldn't be needed |
| 587 | + | if (path.StartsWith("\\")) |
| 588 | + | path = path.Substring(1); |
| 589 | + | hive = Helpers.Registry.RegistryHelper.CheckIfExists(path); |
| 590 | + | } |
| 591 | + | |
| 592 | + | if (path.StartsWith("\\")) |
| 593 | + | path = path.Substring(1); |
| 594 | + | |
| 595 | + | kri.hive = hive; |
| 596 | + | kri.path = path; |
| 597 | + | |
| 598 | + | return kri; |
| 599 | + | } |
| 600 | + | } |
| 601 | + | } |
| 602 | + | |