-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathprocess_info.hpp
91 lines (63 loc) · 2.15 KB
/
process_info.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#pragma once
#define PI_INIT_BUFFER_SIZE 0x10000
#define NtUserMsgWaitForMultipleObjectsEx_INDEX_IN_ARRAY 4
#define NT_RET_OFFSET_64_WIN7 0x0A //Win7 - Win10 1507
#define NT_RET_OFFSET_64_WIN10_1511 0x14 //Win10 1511+
#define NT_RET_OFFSET_86_WIN7 0x15 //Win7 only
#define NT_RET_OFFSET_86_WIN8 0x0C //Win8+
#define TEB_SameTebFlags_64 0x17EE
#define TEB_SameTebFlags_86 0xFCA
#define TEB_SAMETEB_FLAGS_LoaderWorker 0x2000
#ifdef _WIN64
#define TEB_SameTebFlags TEB_SameTebFlags_64
#else
#define TEB_SameTebFlags TEB_SameTebFlags_86
#endif
struct _MODULE_INFO
{
std::shared_ptr<wchar_t[]> module_name = { 0 };
size_t module_name_len = 0;
HMODULE module_base = 0;
PVOID module_entry = 0;
_MODULE_INFO& operator=(_MODULE_INFO& other);
};
class ProcessInfo
{
private:
SYSTEM_PROCESS_INFORMATION* first_process = nullptr;
SYSTEM_PROCESS_INFORMATION* current_process = nullptr;
SYSTEM_THREAD_INFORMATION* current_thread = nullptr;
f_NtQueryInformationProcess NtQueryInformationProcess = nullptr;
f_NtQueryInformationThread NtQueryInformationThread = nullptr;
f_NtQuerySystemInformation NtQuerySystemInformation = nullptr;
HANDLE h_current_process = NULL;
HMODULE h_win32u = NULL;
DWORD current_thread_index = NULL;
DWORD buffer_size = NULL;
std::vector<_MODULE_INFO*> process_modules;
DWORD wait_functions_address[5] = { 0 };
void ClearModulesVec();
public:
ProcessInfo();
~ProcessInfo();
//bool SetProcessByName(const wchar_t* proc_name, DWORD desired_access);
bool SetProcess(HANDLE h_target_proc);
bool SetThread(DWORD TID);
bool FirstThread();
bool NextThread();
bool RefreshInformation();
DWORD GetPID();
DWORD GetTID();
DWORD GetEntryPoint();
bool IsProtectedProcess();
void* GetTEBaddr();
void* GetPEBaddr();
bool ReadAllModules();
bool GetModuleInfo(const wchar_t* mod_name, _MODULE_INFO* out_module);
HMODULE _GetModuleHandle(const wchar_t* mod_name);
bool IsThreadInAlertableState();
bool IsThreadWorkerThread();
bool GetThreadState(THREAD_STATE* state, KWAIT_REASON* reason);
const SYSTEM_PROCESS_INFORMATION* GetProcessInfo();
const SYSTEM_THREAD_INFORMATION* GetThreadInfo();
};