From 7302b614ceae09721c415e87d8752d7d2214f3ac Mon Sep 17 00:00:00 2001 From: silverf0x Date: Sun, 20 Jan 2019 17:49:31 +0100 Subject: [PATCH] Add support for Protected and PPL processes with the ProcessExplorer driver. REMARK: the feature requires the procexp.sys driver version 15.0.0.0 --- RpcCommon/Misc.c | 47 ++++++++++++++++++++++++++-- RpcCommon/Misc.h | 2 +- RpcCore/RpcCore.c | 12 +++---- RpcView/InterfaceSelectedVisitor.cpp | 4 +-- RpcView/MainWindow.cpp | 2 +- RpcView/RpcView.cpp | 2 +- 6 files changed, 55 insertions(+), 14 deletions(-) diff --git a/RpcCommon/Misc.c b/RpcCommon/Misc.c index f163bc3..a7f766e 100644 --- a/RpcCommon/Misc.c +++ b/RpcCommon/Misc.c @@ -18,6 +18,47 @@ typedef struct _LanguageCodePage_T { WORD wCodePage; } LanguageCodePage_T; +#define IOCTL_OPEN_PROCESS 0x8335003C + +HANDLE hProcexp = NULL; + +HANDLE ProcexpOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId) +{ + HANDLE hProcess = NULL; + UINT64 Pid = dwProcessId; + DWORD Bytes; + + hProcess = OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId); + if (hProcess != NULL) goto End; + if (hProcexp == NULL) + { + hProcexp = CreateFileA( + "\\\\.\\PROCEXP152", + GENERIC_READ, + 0, + NULL, + OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, + NULL + ); + if (hProcexp == INVALID_HANDLE_VALUE) + { + goto End; + } + } + DeviceIoControl( + hProcexp, + IOCTL_OPEN_PROCESS, + &Pid, + sizeof(Pid), + &hProcess, + sizeof(hProcess), + &Bytes, + NULL + ); +End: + return hProcess; +} //------------------------------------------------------------------------------ BOOL WINAPI AdjustPrivilege(LPCTSTR lpPrivilegeName,BOOL bEnablePrivilege) @@ -259,7 +300,7 @@ BOOL WINAPI GetProcessPath(DWORD Pid, WCHAR* pProcessPath, DWORD ProcessPathLeng BOOL bResult = FALSE; DWORD Size; - hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid); + hProcess = ProcexpOpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid); if (hProcess == NULL) goto End; Size = ProcessPathLength; bResult = QueryFullProcessImageNameW(hProcess, 0, pProcessPath, &Size); @@ -299,7 +340,7 @@ BOOL WINAPI GetUserAndDomainName(DWORD Pid, WCHAR* Buffer, ULONG BufferLengthInB SID_NAME_USE SidType; BOOL bResult = FALSE; - hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION,FALSE,Pid); + hProcess = ProcexpOpenProcess(PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION,FALSE,Pid); if (hProcess==NULL) goto End; if (!OpenProcessToken(hProcess,TOKEN_QUERY,&hToken)) goto End; @@ -325,7 +366,7 @@ BOOL WINAPI IsProcessWow64(ULONG Pid) BOOL bWow64 = FALSE; HANDLE hProcess = NULL; - hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION,FALSE,Pid); + hProcess = ProcexpOpenProcess(PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION,FALSE,Pid); if (hProcess==NULL) goto End; IsWow64Process(hProcess,&bWow64); End: diff --git a/RpcCommon/Misc.h b/RpcCommon/Misc.h index 1d955b9..3dba593 100644 --- a/RpcCommon/Misc.h +++ b/RpcCommon/Misc.h @@ -31,7 +31,7 @@ typedef struct _LocationInfo_T{ SIZE_T Size; }LocationInfo_T; - +HANDLE WINAPI ProcexpOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId); BOOL WINAPI AdjustPrivilege(LPCTSTR lpPrivilegeName,BOOL bEnablePrivilege); BOOL WINAPI GetModuleDescription(WCHAR* pModulePath,WCHAR* pDescription,UINT Bytes); UINT64 WINAPI GetModuleVersion(WCHAR* pModulePath); diff --git a/RpcCore/RpcCore.c b/RpcCore/RpcCore.c index 159b05f..5db1837 100644 --- a/RpcCore/RpcCore.c +++ b/RpcCore/RpcCore.c @@ -220,7 +220,7 @@ BOOL WINAPI GetRpcServerAddressInProcess(DWORD Pid,RpcCoreInternalCtxt_T* pRpcCo CHAR ModuleFileName[MAX_PATH]; BOOL bResult=FALSE; - hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid); + hProcess = ProcexpOpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid); if (hProcess == NULL) goto End; EnumProcessModulesEx(hProcess, NULL, 0, &cbSize, LIST_MODULES_ALL); @@ -403,7 +403,7 @@ RpcProcessInfo_T* __fastcall RpcCoreGetProcessInfo(void* pRpcCoreCtxt,DWORD Pid, pRpcProcessInfo->ParentPid = Ppid; pRpcProcessInfo->RpcProcessType = RpcProcessType_UNKNOWN; - hProcess=OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid); + hProcess=ProcexpOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid); if (hProcess!=NULL) { #ifdef _WIN64 @@ -823,7 +823,7 @@ RpcInterfaceInfo_T* __fastcall RpcCoreGetInterfaceInfo(void* pRpcCoreCtxt,DWORD RpcInterfaceInfo_T* pRpcInterfaceInfo = NULL; pRpcCoreInternalCtxt = (RpcCoreInternalCtxt_T*)pRpcCoreCtxt; - hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, Pid); + hProcess = ProcexpOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, Pid); if (hProcess == NULL) { DEBUG_BREAK(); goto End; } pRpcInterface = GetProcessInterface(pRpcCoreInternalCtxt, hProcess, pIf); @@ -865,7 +865,7 @@ BOOL __fastcall RpcCoreEnumProcessInterfaces(void* pRpcCoreCtxt,DWORD Pid,RpcCor RpcInterfaceInfo_T* pRpcInterfaceInfo = NULL; RpcCoreInternalCtxt_T* pRpcCoreInternalCtxt=(RpcCoreInternalCtxt_T*)pRpcCoreCtxt; - hProcess=OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid); + hProcess=ProcexpOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid); if (hProcess==NULL) goto End; if (!ReadProcessMemory(hProcess,pRpcCoreInternalCtxt->pGlobalRpcServer,&pRpcServer,sizeof(VOID PTR_T),NULL)) goto End; @@ -917,7 +917,7 @@ BOOL __fastcall RpcCoreEnumProcessEndpoints(void* pRpcCoreCtxt,DWORD Pid,RpcCore BOOL bContinue=TRUE; RpcCoreInternalCtxt_T* pRpcCoreInternalCtxt=(RpcCoreInternalCtxt_T*)pRpcCoreCtxt; - hProcess=OpenProcess(PROCESS_VM_READ,FALSE,Pid); + hProcess=ProcexpOpenProcess(PROCESS_VM_READ,FALSE,Pid); if (hProcess==NULL) goto End; if (!ReadProcessMemory(hProcess,pRpcCoreInternalCtxt->pGlobalRpcServer,&pRpcServer,sizeof(VOID PTR_T),NULL)) goto End; @@ -1016,7 +1016,7 @@ BOOL __fastcall RpcCoreEnumProcessAuthInfo(void* pRpcCoreCtxt,DWORD Pid,RpcCoreE if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,L"SOFTWARE\\Microsoft\\Rpc\\SecurityService",0,KEY_READ,&hKey)!=ERROR_SUCCESS) goto End; if (EnumerateSecurityPackagesW(&PackagesCount,&SecurityPackageInfoTbl)!=SEC_E_OK) goto End; - hProcess=OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid); + hProcess=ProcexpOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,Pid); if (hProcess==NULL) goto End; if (!ReadProcessMemory(hProcess,pRpcCoreInternalCtxt->pGlobalRpcServer,&pRpcServer,sizeof(VOID PTR_T), NULL)) goto End; diff --git a/RpcView/InterfaceSelectedVisitor.cpp b/RpcView/InterfaceSelectedVisitor.cpp index f5c2e62..b6980c9 100644 --- a/RpcView/InterfaceSelectedVisitor.cpp +++ b/RpcView/InterfaceSelectedVisitor.cpp @@ -67,7 +67,7 @@ void InterfaceSelectedVisitor_C::Visit(InterfaceInfoWidget_C* pInterfaceInfoWidg SymbolName[0]=0; if (pRpcInterfaceInfo->pLocationBase!=NULL) { - hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,Pid); + hProcess=ProcexpOpenProcess(PROCESS_ALL_ACCESS,FALSE,Pid); if (hProcess==NULL) goto End; hPdb = PdbInit(hProcess, pRpcInterfaceInfo->pLocationBase, pRpcInterfaceInfo->LocationSize); @@ -140,7 +140,7 @@ void InterfaceSelectedVisitor_C::Visit(ProceduresWidget_C* pProceduresWidget) case IfType_RPC: if (pRpcInterfaceInfo->pLocationBase==NULL) goto End; - hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,Pid); + hProcess=ProcexpOpenProcess(PROCESS_ALL_ACCESS,FALSE,Pid); if (hProcess==NULL) goto End; hPdb = PdbInit(hProcess, pRpcInterfaceInfo->pLocationBase, pRpcInterfaceInfo->LocationSize); diff --git a/RpcView/MainWindow.cpp b/RpcView/MainWindow.cpp index 454f886..e75401e 100644 --- a/RpcView/MainWindow.cpp +++ b/RpcView/MainWindow.cpp @@ -193,7 +193,7 @@ BOOL __fastcall RpcGetProcessData(RpcModuleInfo_T* pRpcModuleInfo, RVA_T Rva, VO if (pRpcModuleInfo == NULL) goto End; pAddress = (VOID*)(pRpcModuleInfo->pModuleBase + Rva); - hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pRpcModuleInfo->Pid); + hProcess = ProcexpOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pRpcModuleInfo->Pid); if (hProcess == NULL) goto End; bResult = ReadProcessMemory(hProcess, pAddress, pBuffer, BufferLength, NULL); End: diff --git a/RpcView/RpcView.cpp b/RpcView/RpcView.cpp index a8990ad..6a3a46f 100644 --- a/RpcView/RpcView.cpp +++ b/RpcView/RpcView.cpp @@ -154,7 +154,7 @@ void NTAPI InitDecompilerInfo(_In_ RpcInterfaceInfo_T* pRpcInterfaceInfo, _Out_ pRpcDecompilerInfo->ppProcNameTable = (WCHAR**)OS_ALLOC(pRpcDecompilerInfo->NumberOfProcedures*sizeof(UCHAR*)); if (pRpcDecompilerInfo->ppProcNameTable == NULL) goto End; - hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pRpcInterfaceInfo->Pid); + hProcess = ProcexpOpenProcess(PROCESS_ALL_ACCESS, FALSE, pRpcInterfaceInfo->Pid); if (hProcess == NULL) goto End; #ifdef _WIN64 pRpcDecompilerInfo->bIs64Bits = !pRpcInterfaceInfo->bWow64Process;