qwqdanchun
/
RpcView
mirror of https://github.com/qwqdanchun/RpcView.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add support for Protected and PPL processes with the ProcessExplorer driver. 

REMARK: the feature requires the procexp.sys driver version 15.0.0.0
This commit is contained in:
silverf0x 2019-01-20 17:49:31 +01:00
parent 80fc306cac
commit 7302b614ce
6 changed files with 55 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
RpcCommon/Misc.c
View File

@ -18,6 +18,47 @@ typedef struct _LanguageCodePage_T {
WORD wCodePage;
} LanguageCodePage_T;
#define IOCTL_OPEN_PROCESS 0x8335003C
HANDLE hProcexp = NULL;
HANDLE ProcexpOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{
HANDLE hProcess = NULL;
UINT64 Pid = dwProcessId;
DWORD Bytes;
hProcess = OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
if (hProcess != NULL) goto End;
if (hProcexp == NULL)
{
hProcexp = CreateFileA(
"\\\\.\\PROCEXP152",
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hProcexp == INVALID_HANDLE_VALUE)
{
goto End;
}
}
DeviceIoControl(
hProcexp,
IOCTL_OPEN_PROCESS,
&Pid,
sizeof(Pid),
&hProcess,
sizeof(hProcess),
&Bytes,
NULL
);
End:
return hProcess;
}
//------------------------------------------------------------------------------
BOOL WINAPI AdjustPrivilege(LPCTSTR lpPrivilegeName,BOOL bEnablePrivilege)
@ -259,7 +300,7 @@ BOOL WINAPI GetProcessPath(DWORD Pid, WCHAR* pProcessPath, DWORD ProcessPathLeng
BOOL bResult = FALSE;
DWORD Size;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
hProcess = ProcexpOpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
if (hProcess == NULL) goto End;
Size = ProcessPathLength;
bResult = QueryFullProcessImageNameW(hProcess, 0, pProcessPath, &Size);
@ -299,7 +340,7 @@ BOOL WINAPI GetUserAndDomainName(DWORD Pid, WCHAR* Buffer, ULONG BufferLengthInB
SID_NAME_USE SidType;
BOOL bResult = FALSE;
hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION,FALSE,Pid);
hProcess = ProcexpOpenProcess(PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION,FALSE,Pid);
if (hProcess==NULL) goto End;
if (!OpenProcessToken(hProcess,TOKEN_QUERY,&hToken)) goto End;
@ -325,7 +366,7 @@ BOOL WINAPI IsProcessWow64(ULONG Pid)
BOOL bWow64 = FALSE;
HANDLE hProcess = NULL;
hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION,FALSE,Pid);
hProcess = ProcexpOpenProcess(PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION,FALSE,Pid);
if (hProcess==NULL) goto End;
IsWow64Process(hProcess,&bWow64);
End:

2
RpcCommon/Misc.h
View File

@ -31,7 +31,7 @@ typedef struct _LocationInfo_T{
SIZE_T Size;
}LocationInfo_T;
HANDLE WINAPI ProcexpOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId);
BOOL WINAPI AdjustPrivilege(LPCTSTR lpPrivilegeName,BOOL bEnablePrivilege);
BOOL WINAPI GetModuleDescription(WCHAR* pModulePath,WCHAR* pDescription,UINT Bytes);
UINT64 WINAPI GetModuleVersion(WCHAR* pModulePath);

12
RpcCore/RpcCore.c
View File

@ -220,7 +220,7 @@ BOOL WINAPI GetRpcServerAddressInProcess(DWORD Pid,RpcCoreInternalCtxt_T* pRpcCo
CHAR ModuleFileName[MAX_PATH];
BOOL bResult=FALSE;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
hProcess = ProcexpOpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
if (hProcess == NULL) goto End;
EnumProcessModulesEx(hProcess, NULL, 0, &cbSize, LIST_MODULES_ALL);
@ -403,7 +403,7 @@ RpcProcessInfo_T* __fastcall RpcCoreGetProcessInfo(void* pRpcCoreCtxt,DWORD Pid,
pRpcProcessInfo->ParentPid = Ppid;
pRpcProcessInfo->RpcProcessType = RpcProcessType_UNKNOWN;
hProcess=OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid);
hProcess=ProcexpOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid);
if (hProcess!=NULL)
{
#ifdef _WIN64
@ -823,7 +823,7 @@ RpcInterfaceInfo_T* __fastcall RpcCoreGetInterfaceInfo(void* pRpcCoreCtxt,DWORD
RpcInterfaceInfo_T* pRpcInterfaceInfo = NULL;
pRpcCoreInternalCtxt = (RpcCoreInternalCtxt_T*)pRpcCoreCtxt;
hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, Pid);
hProcess = ProcexpOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, Pid);
if (hProcess == NULL) { DEBUG_BREAK(); goto End; }
pRpcInterface = GetProcessInterface(pRpcCoreInternalCtxt, hProcess, pIf);
@ -865,7 +865,7 @@ BOOL __fastcall RpcCoreEnumProcessInterfaces(void* pRpcCoreCtxt,DWORD Pid,RpcCor
RpcInterfaceInfo_T* pRpcInterfaceInfo = NULL;
RpcCoreInternalCtxt_T* pRpcCoreInternalCtxt=(RpcCoreInternalCtxt_T*)pRpcCoreCtxt;
hProcess=OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid);
hProcess=ProcexpOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid);
if (hProcess==NULL) goto End;
if (!ReadProcessMemory(hProcess,pRpcCoreInternalCtxt->pGlobalRpcServer,&pRpcServer,sizeof(VOID PTR_T),NULL)) goto End;
@ -917,7 +917,7 @@ BOOL __fastcall RpcCoreEnumProcessEndpoints(void* pRpcCoreCtxt,DWORD Pid,RpcCore
BOOL bContinue=TRUE;
RpcCoreInternalCtxt_T* pRpcCoreInternalCtxt=(RpcCoreInternalCtxt_T*)pRpcCoreCtxt;
hProcess=OpenProcess(PROCESS_VM_READ,FALSE,Pid);
hProcess=ProcexpOpenProcess(PROCESS_VM_READ,FALSE,Pid);
if (hProcess==NULL) goto End;
if (!ReadProcessMemory(hProcess,pRpcCoreInternalCtxt->pGlobalRpcServer,&pRpcServer,sizeof(VOID PTR_T),NULL)) goto End;
@ -1016,7 +1016,7 @@ BOOL __fastcall RpcCoreEnumProcessAuthInfo(void* pRpcCoreCtxt,DWORD Pid,RpcCoreE
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,L"SOFTWARE\\Microsoft\\Rpc\\SecurityService",0,KEY_READ,&hKey)!=ERROR_SUCCESS) goto End;
if (EnumerateSecurityPackagesW(&PackagesCount,&SecurityPackageInfoTbl)!=SEC_E_OK) goto End;
hProcess=OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid);
hProcess=ProcexpOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid);
if (hProcess==NULL) goto End;
if (!ReadProcessMemory(hProcess,pRpcCoreInternalCtxt->pGlobalRpcServer,&pRpcServer,sizeof(VOID PTR_T), NULL)) goto End;

4
RpcView/InterfaceSelectedVisitor.cpp
View File

@ -67,7 +67,7 @@ void InterfaceSelectedVisitor_C::Visit(InterfaceInfoWidget_C* pInterfaceInfoWidg
SymbolName[0]=0;
if (pRpcInterfaceInfo->pLocationBase!=NULL)
{
hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,Pid);
hProcess=ProcexpOpenProcess(PROCESS_ALL_ACCESS,FALSE,Pid);
if (hProcess==NULL) goto End;
hPdb = PdbInit(hProcess, pRpcInterfaceInfo->pLocationBase, pRpcInterfaceInfo->LocationSize);
@ -140,7 +140,7 @@ void InterfaceSelectedVisitor_C::Visit(ProceduresWidget_C* pProceduresWidget)
case IfType_RPC:
if (pRpcInterfaceInfo->pLocationBase==NULL) goto End;
hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,Pid);
hProcess=ProcexpOpenProcess(PROCESS_ALL_ACCESS,FALSE,Pid);
if (hProcess==NULL) goto End;
hPdb = PdbInit(hProcess, pRpcInterfaceInfo->pLocationBase, pRpcInterfaceInfo->LocationSize);

2
RpcView/MainWindow.cpp
View File

@ -193,7 +193,7 @@ BOOL __fastcall RpcGetProcessData(RpcModuleInfo_T* pRpcModuleInfo, RVA_T Rva, VO
if (pRpcModuleInfo == NULL) goto End;
pAddress = (VOID*)(pRpcModuleInfo->pModuleBase + Rva);
hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pRpcModuleInfo->Pid);
hProcess = ProcexpOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pRpcModuleInfo->Pid);
if (hProcess == NULL) goto End;
bResult = ReadProcessMemory(hProcess, pAddress, pBuffer, BufferLength, NULL);
End:

2
RpcView/RpcView.cpp
View File

@ -154,7 +154,7 @@ void NTAPI InitDecompilerInfo(_In_ RpcInterfaceInfo_T* pRpcInterfaceInfo, _Out_
pRpcDecompilerInfo->ppProcNameTable = (WCHAR**)OS_ALLOC(pRpcDecompilerInfo->NumberOfProcedures*sizeof(UCHAR*));
if (pRpcDecompilerInfo->ppProcNameTable == NULL) goto End;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pRpcInterfaceInfo->Pid);
hProcess = ProcexpOpenProcess(PROCESS_ALL_ACCESS, FALSE, pRpcInterfaceInfo->Pid);
if (hProcess == NULL) goto End;
#ifdef _WIN64
pRpcDecompilerInfo->bIs64Bits = !pRpcInterfaceInfo->bWow64Process;