diff --git a/Cargo.lock b/Cargo.lock index 94f58b7..2e7d1a9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -26,6 +26,16 @@ name = "arrayvec" version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" +[[package]] +name = "atty" +version = "0.2.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "hermit-abi 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)", + "libc 0.2.66 (registry+https://github.com/rust-lang/crates.io-index)", + "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)", +] + [[package]] name = "autocfg" version = "1.0.0" @@ -70,6 +80,17 @@ dependencies = [ "byte-tools 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)", ] +[[package]] +name = "bstr" +version = "0.2.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "memchr 2.3.2 (registry+https://github.com/rust-lang/crates.io-index)", + "regex-automata 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)", + "serde 1.0.104 (registry+https://github.com/rust-lang/crates.io-index)", +] + [[package]] name = "bumpalo" version = "3.2.0" @@ -147,6 +168,26 @@ dependencies = [ "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)", ] +[[package]] +name = "csv" +version = "1.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "bstr 0.2.13 (registry+https://github.com/rust-lang/crates.io-index)", + "csv-core 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)", + "itoa 0.4.5 (registry+https://github.com/rust-lang/crates.io-index)", + "ryu 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)", + "serde 1.0.104 (registry+https://github.com/rust-lang/crates.io-index)", +] + +[[package]] +name = "csv-core" +version = "0.1.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "memchr 2.3.2 (registry+https://github.com/rust-lang/crates.io-index)", +] + [[package]] name = "digest" version = "0.8.1" @@ -155,6 +196,16 @@ dependencies = [ "generic-array 0.12.3 (registry+https://github.com/rust-lang/crates.io-index)", ] +[[package]] +name = "dirs" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "libc 0.2.66 (registry+https://github.com/rust-lang/crates.io-index)", + "redox_users 0.3.4 (registry+https://github.com/rust-lang/crates.io-index)", + "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)", +] + [[package]] name = "dirs-next" version = "1.0.1" @@ -179,6 +230,11 @@ name = "dtoa" version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" +[[package]] +name = "encode_unicode" +version = "0.3.6" +source = "registry+https://github.com/rust-lang/crates.io-index" + [[package]] name = "encoding_rs" version = "0.8.22" @@ -457,6 +513,7 @@ dependencies = [ "pdb 0.5.0 (registry+https://github.com/rust-lang/crates.io-index)", "pest 2.1.3 (registry+https://github.com/rust-lang/crates.io-index)", "pest_derive 2.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "prettytable-rs 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)", "reqwest 0.10.1 (registry+https://github.com/rust-lang/crates.io-index)", "rustyline 6.2.0 (registry+https://github.com/rust-lang/crates.io-index)", "serde_json 1.0.55 (registry+https://github.com/rust-lang/crates.io-index)", @@ -740,6 +797,19 @@ name = "ppv-lite86" version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" +[[package]] +name = "prettytable-rs" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "atty 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)", + "csv 1.1.3 (registry+https://github.com/rust-lang/crates.io-index)", + "encode_unicode 0.3.6 (registry+https://github.com/rust-lang/crates.io-index)", + "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "term 0.5.2 (registry+https://github.com/rust-lang/crates.io-index)", + "unicode-width 0.1.7 (registry+https://github.com/rust-lang/crates.io-index)", +] + [[package]] name = "proc-macro2" version = "0.4.30" @@ -824,6 +894,14 @@ dependencies = [ "rust-argon2 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)", ] +[[package]] +name = "regex-automata" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "byteorder 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)", +] + [[package]] name = "remove_dir_all" version = "0.5.2" @@ -1067,6 +1145,16 @@ dependencies = [ "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)", ] +[[package]] +name = "term" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "byteorder 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)", + "dirs 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)", + "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)", +] + [[package]] name = "time" version = "0.1.42" @@ -1391,12 +1479,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index" "checksum app_dirs 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e73a24bad9bd6a94d6395382a6c69fe071708ae4409f763c5475e14ee896313d" "checksum arrayref 0.3.6 (registry+https://github.com/rust-lang/crates.io-index)" = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544" "checksum arrayvec 0.5.1 (registry+https://github.com/rust-lang/crates.io-index)" = "cff77d8686867eceff3105329d4698d96c2391c176d5d03adc90c7389162b5b8" +"checksum atty 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)" = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" "checksum autocfg 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d" "checksum base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b41b7ea54a0c9d92199de89e20e58d49f02f8e699814ef3fdf266f6f748d15c7" "checksum bitflags 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" "checksum blake2b_simd 0.5.10 (registry+https://github.com/rust-lang/crates.io-index)" = "d8fb2d74254a3a0b5cac33ac9f8ed0e44aa50378d9dbb2e5d83bd21ed1dc2c8a" "checksum block-buffer 0.7.3 (registry+https://github.com/rust-lang/crates.io-index)" = "c0940dc441f31689269e10ac70eb1002a3a1d3ad1390e030043662eb7fe4688b" "checksum block-padding 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "fa79dedbb091f449f1f39e53edf88d5dbe95f895dae6135a8d7b881fb5af73f5" +"checksum bstr 0.2.13 (registry+https://github.com/rust-lang/crates.io-index)" = "31accafdb70df7871592c058eca3985b71104e15ac32f64706022c58867da931" "checksum bumpalo 3.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "1f359dc14ff8911330a51ef78022d376f25ed00248912803b58f00cb1c27f742" "checksum byte-tools 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e3b5ca7a04898ad4bcd41c90c5285445ff5b791899bb1b0abdd2a2aa791211d7" "checksum byteorder 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "08c48aae112d48ed9f069b33538ea9e3e90aa263cfa3d1c24309612b1f7472de" @@ -1409,10 +1499,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index" "checksum core-foundation 0.6.4 (registry+https://github.com/rust-lang/crates.io-index)" = "25b9e03f145fd4f2bf705e07b900cd41fc636598fe5dc452fd0db1441c3f496d" "checksum core-foundation-sys 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)" = "e7ca8a5221364ef15ce201e8ed2f609fc312682a8f4e0e3d4aa5879764e0fa3b" "checksum crossbeam-utils 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)" = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8" +"checksum csv 1.1.3 (registry+https://github.com/rust-lang/crates.io-index)" = "00affe7f6ab566df61b4be3ce8cf16bc2576bca0963ceb0955e45d514bf9a279" +"checksum csv-core 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)" = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90" "checksum digest 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)" = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5" +"checksum dirs 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)" = "3fd78930633bd1c6e35c4b42b1df7b0cbc6bc191146e512bb3bedf243fcc3901" "checksum dirs-next 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)" = "1cbcf9241d9e8d106295bd496bbe2e9cffd5fa098f2a8c9e2bbcbf09773c11a8" "checksum dirs-sys-next 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "9c60f7b8a8953926148223260454befb50c751d3c50e1c178c4fd1ace4083c9a" "checksum dtoa 0.4.5 (registry+https://github.com/rust-lang/crates.io-index)" = "4358a9e11b9a09cf52383b451b49a169e8d797b68aa02301ff586d70d9661ea3" +"checksum encode_unicode 0.3.6 (registry+https://github.com/rust-lang/crates.io-index)" = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f" "checksum encoding_rs 0.8.22 (registry+https://github.com/rust-lang/crates.io-index)" = "cd8d03faa7fe0c1431609dfad7bbe827af30f82e1e2ae6f7ee4fca6bd764bc28" "checksum fake-simd 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "e88a8acf291dafb59c2d96e8f59828f3838bb1a70398823ade51a84de6a6deed" "checksum fallible-iterator 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)" = "eb7217124812dc5672b7476d0c2d20cfe9f7c0f1ba0904b674a9762a0212f72e" @@ -1478,6 +1572,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" "checksum pin-utils 0.1.0-alpha.4 (registry+https://github.com/rust-lang/crates.io-index)" = "5894c618ce612a3fa23881b152b608bafb8c56cfc22f434a3ba3120b40f7b587" "checksum pkg-config 0.3.17 (registry+https://github.com/rust-lang/crates.io-index)" = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677" "checksum ppv-lite86 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "74490b50b9fbe561ac330df47c08f3f33073d2d00c150f719147d7c54522fa1b" +"checksum prettytable-rs 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)" = "0fd04b170004fa2daccf418a7f8253aaf033c27760b5f225889024cf66d7ac2e" "checksum proc-macro2 0.4.30 (registry+https://github.com/rust-lang/crates.io-index)" = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759" "checksum proc-macro2 1.0.8 (registry+https://github.com/rust-lang/crates.io-index)" = "3acb317c6ff86a4e579dfa00fc5e6cca91ecbb4e7eb2df0468805b674eb88548" "checksum quote 0.6.13 (registry+https://github.com/rust-lang/crates.io-index)" = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1" @@ -1488,6 +1583,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" "checksum rand_hc 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c" "checksum redox_syscall 0.1.56 (registry+https://github.com/rust-lang/crates.io-index)" = "2439c63f3f6139d1b57529d16bc3b8bb855230c8efcc5d3a896c8bea7c3b1e84" "checksum redox_users 0.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "09b23093265f8d200fa7b4c2c76297f47e681c655f6f1285a8780d6a022f7431" +"checksum regex-automata 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)" = "ae1ded71d66a4a97f5e961fd0cb25a5f366a42a41570d16a763a69c092c26ae4" "checksum remove_dir_all 0.5.2 (registry+https://github.com/rust-lang/crates.io-index)" = "4a83fa3702a688b9359eccba92d153ac33fd2e8462f9e0e3fdf155239ea7792e" "checksum reqwest 0.10.1 (registry+https://github.com/rust-lang/crates.io-index)" = "c0e798e19e258bf6c30a304622e3e9ac820e483b06a1857a026e1f109b113fe4" "checksum rust-argon2 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "2bc8af4bda8e1ff4932523b94d3dd20ee30a87232323eda55903ffd71d2fb017" @@ -1513,6 +1609,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" "checksum syn 0.15.44 (registry+https://github.com/rust-lang/crates.io-index)" = "9ca4b3b69a77cbe1ffc9e198781b7acb0c7365a883670e8f1c1bc66fba79a5c5" "checksum syn 1.0.14 (registry+https://github.com/rust-lang/crates.io-index)" = "af6f3550d8dff9ef7dc34d384ac6f107e5d31c8f57d9f28e0081503f547ac8f5" "checksum tempfile 3.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "7a6e24d9338a0a5be79593e2fa15a648add6138caa803e2d5bc782c371732ca9" +"checksum term 0.5.2 (registry+https://github.com/rust-lang/crates.io-index)" = "edd106a334b7657c10b7c540a0106114feadeb4dc314513e97df481d5d966f42" "checksum time 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)" = "db8dcfca086c1143c9270ac42a2bbd8a7ee477b78ac8e45b19abfb0cbede4b6f" "checksum tokio 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)" = "8fdd17989496f49cdc57978c96f0c9fe5e4a58a8bddc6813c449a4624f6a030b" "checksum tokio-tls 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "7bde02a3a5291395f59b06ec6945a3077602fac2b07eeeaf0dee2122f3619828" diff --git a/Cargo.toml b/Cargo.toml index d97640b..185c2a8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -23,3 +23,5 @@ parse_int = "0.4.0" rustyline = "6.2.0" pest = "2.1.3" pest_derive = "2.1.0" +# others +prettytable-rs = "^0.8" diff --git a/src/bin/eprocess_scan.rs b/src/bin/eprocess_scan.rs index 5f13a7a..dd18535 100644 --- a/src/bin/eprocess_scan.rs +++ b/src/bin/eprocess_scan.rs @@ -1,10 +1,45 @@ +use serde_json::Value; +use std::collections::HashSet; use std::error::Error; +#[macro_use] +extern crate prettytable; +use prettytable::Table; + use lpus::{ - driver_state::DriverState, scan_eprocess, traverse_activehead, traverse_handletable, - traverse_kiprocesslist, + driver_state::DriverState, scan_eprocess, scan_ethread, traverse_activehead, + traverse_handletable, traverse_kiprocesslist, }; +fn process_in_list(addr: &str, list: &Vec) -> bool { + for r in list.iter() { + if r["address"].as_str().unwrap() == addr { + return true; + } + } + false +} + +fn get_from_list(addr: &str, list: &Vec) -> Option { + for r in list.iter() { + if r["address"].as_str().unwrap() == addr { + return Some(r.clone()); + } + } + None +} + +fn process_in_list_thread(addr: &str, list: &Vec) -> bool { + for r in list.iter() { + if r["eprocess"].as_str().unwrap() == addr { + return true; + } + } + false +} + +// fn get_process_from_list(addr: String, list: &Vec) -> String { } + fn main() -> Result<(), Box> { let mut driver = DriverState::new(); if !driver.is_supported() { @@ -16,15 +51,54 @@ fn main() -> Result<(), Box> { } println!("NtLoadDriver() -> 0x{:x}", driver.startup()); - let scan = scan_eprocess(&driver).unwrap_or(Vec::new()); + let process_scan = scan_eprocess(&driver).unwrap_or(Vec::new()); + let thread_scan = scan_ethread(&driver).unwrap_or(Vec::new()); let activehead = traverse_activehead(&driver).unwrap_or(Vec::new()); let kiprocesslist = traverse_kiprocesslist(&driver).unwrap_or(Vec::new()); let handletable = traverse_handletable(&driver).unwrap_or(Vec::new()); - for r in scan.iter() { - println!("{:#}", r.to_string()); + let mut unique_process = HashSet::new(); + for list in [&process_scan, &activehead, &kiprocesslist, &handletable].iter() { + for r in list.iter() { + let addr = r["address"].as_str().unwrap(); + unique_process.insert(addr); + } } + let mut table = Table::new(); + table.add_row(row![ + "Address", + "Name", + "pid", + "ppid", + "PoolTagScan", + "ActiveProcessHead", + "KiProcessListHead", + "HandleTableList", + "ThreadScan" + ]); + for p in &unique_process { + let addr = p.to_string(); + let v = get_from_list(&addr, &activehead).unwrap_or_default(); + table.add_row(row![ + &addr, + v["name"].as_str().unwrap_or("(??)"), + v["pid"].as_i64().unwrap_or(-1), + v["ppid"].as_i64().unwrap_or(-1), + process_in_list(&addr, &process_scan), + process_in_list(&addr, &activehead), + process_in_list(&addr, &kiprocesslist), + process_in_list(&addr, &handletable), + process_in_list_thread(&addr, &thread_scan) + ]); + } + + table.printstd(); + + // for r in process_scan.iter() { + // println!("{:#}", r.to_string()); + // } + println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown()); Ok(()) } diff --git a/src/bin/thread_scan.rs b/src/bin/ethread_scan.rs similarity index 100% rename from src/bin/thread_scan.rs rename to src/bin/ethread_scan.rs diff --git a/src/object.rs b/src/object.rs index 5e400ce..77cf446 100644 --- a/src/object.rs +++ b/src/object.rs @@ -80,6 +80,61 @@ pub fn make_ethread(d: &DriverState, a: &Address) -> BoxResult { // let exittime: u64 = d.decompose(a, "_ETHREAD.ExitTime")?; let pid: u64 = d.decompose(a, "_ETHREAD.Cid.UniqueProcess")?; let tid: u64 = d.decompose(a, "_ETHREAD.Cid.UniqueThread")?; + let eprocess: u64 = d.decompose(a, "_ETHREAD.Tcb.Process")?; + let flags: u32 = d.decompose(a, "_ETHREAD.CrossThreadFlags")?; + let state = match d.decompose::(a, "_ETHREAD.Tcb.State")? { + 0 => "Initialized", + 1 => "Ready", + 2 => "Running", + 3 => "Standby", + 4 => "Terminated", + 5 => "Waiting", + 6 => "Transition", + 7 => "DeferredReady", + 8 => "GateWait", + _ => "Unknown", + }; + let wait = match d.decompose::(a, "_ETHREAD.Tcb.WaitReason")? { + 0 => "Executive", + 1 => "FreePage", + 2 => "PageIn", + 3 => "PoolAllocation", + 4 => "DelayExecution", + 5 => "Suspended", + 6 => "UserRequest", + 7 => "WrExecutive", + 8 => "WrFreePage", + 9 => "WrPageIn", + 10 => "WrPoolAllocation", + 11 => "WrDelayExecution", + 12 => "WrSuspended", + 13 => "WrUserRequest", + 14 => "WrEventPair", + 15 => "WrQueue", + 16 => "WrLpcReceive", + 17 => "WrLpcReply", + 18 => "WrVirtualMemory", + 19 => "WrPageOut", + 20 => "WrRendezvous", + 21 => "Spare2", + 22 => "Spare3", + 23 => "Spare4", + 24 => "Spare5", + 25 => "Spare6", + 26 => "WrKernel", + 27 => "WrResource", + 28 => "WrPushLock", + 29 => "WrMutex", + 30 => "WrQuantumEnd", + 31 => "WrDispatchInt", + 32 => "WrPreempted", + 33 => "WrYieldExecution", + 34 => "WrFastMutex", + 35 => "WrGuardedMutex", + 36 => "WrRundown", + 37 => "MaximumWaitReason", + _ => "Unknown", + }; let name_ptr: u64 = d.address_of(a, "_ETHREAD.ThreadName").unwrap_or(0); // ThreadName is after Windows 10 Anniversary let thread_name = if let Ok(name) = d.get_unicode_string(name_ptr) { @@ -97,6 +152,21 @@ pub fn make_ethread(d: &DriverState, a: &Address) -> BoxResult { "tid": tid, "pid": pid, "name": thread_name, + "eprocess": format!("0x{:x}", eprocess), + "state": state, + "wait_reason": wait, + "flags": { + "raw": format!("0x{:x}", flags), + "PS_CROSS_THREAD_FLAGS_TERMINATED": flags & 1 != 0, + "PS_CROSS_THREAD_FLAGS_DEADTHREAD": flags & 2 != 0, + "PS_CROSS_THREAD_FLAGS_HIDEFROMDBG": flags & 3 != 0, + "PS_CROSS_THREAD_FLAGS_IMPERSONATING": flags & 4 != 0, + "PS_CROSS_THREAD_FLAGS_SYSTEM": flags & 5 != 0, + "PS_CROSS_THREAD_FLAGS_HARD_ERRORS_DISABLED": flags & 6 != 0, + "PS_CROSS_THREAD_FLAGS_BREAK_ON_TERMINATION": flags & 7 != 0, + "PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG": flags & 8 != 0, + "PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG": flags & 9 != 0, + }, // "createtime": { // "unix": c_t.timestamp(), // "rfc2822": c_t.to_rfc2822()