nganhkhoa/lpus
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update eprocess and ethread scan

Browse Source
This commit is contained in:
nganhkhoa
2020-07-03 02:08:27 +07:00
parent a154c71f9b
commit 09114848fc
5 changed files with 248 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
src/bin/eprocess_scan.rs
View File

@ -1,10 +1,45 @@
use serde_json::Value;
use std::collections::HashSet;
use std::error::Error;
#[macro_use]
extern crate prettytable;
use prettytable::Table;
use lpus::{
driver_state::DriverState, scan_eprocess, traverse_activehead, traverse_handletable,
traverse_kiprocesslist,
driver_state::DriverState, scan_eprocess, scan_ethread, traverse_activehead,
traverse_handletable, traverse_kiprocesslist,
};
fn process_in_list(addr: &str, list: &Vec<Value>) -> bool {
for r in list.iter() {
if r["address"].as_str().unwrap() == addr {
return true;
}
}
false
}
fn get_from_list(addr: &str, list: &Vec<Value>) -> Option<Value> {
for r in list.iter() {
if r["address"].as_str().unwrap() == addr {
return Some(r.clone());
}
}
None
}
fn process_in_list_thread(addr: &str, list: &Vec<Value>) -> bool {
for r in list.iter() {
if r["eprocess"].as_str().unwrap() == addr {
return true;
}
}
false
}
// fn get_process_from_list(addr: String, list: &Vec<Value>) -> String { }
fn main() -> Result<(), Box<dyn Error>> {
let mut driver = DriverState::new();
if !driver.is_supported() {
@ -16,15 +51,54 @@ fn main() -> Result<(), Box<dyn Error>> {
}
println!("NtLoadDriver() -> 0x{:x}", driver.startup());
let scan = scan_eprocess(&driver).unwrap_or(Vec::new());
let process_scan = scan_eprocess(&driver).unwrap_or(Vec::new());
let thread_scan = scan_ethread(&driver).unwrap_or(Vec::new());
let activehead = traverse_activehead(&driver).unwrap_or(Vec::new());
let kiprocesslist = traverse_kiprocesslist(&driver).unwrap_or(Vec::new());
let handletable = traverse_handletable(&driver).unwrap_or(Vec::new());
for r in scan.iter() {
println!("{:#}", r.to_string());
let mut unique_process = HashSet::new();
for list in [&process_scan, &activehead, &kiprocesslist, &handletable].iter() {
for r in list.iter() {
let addr = r["address"].as_str().unwrap();
unique_process.insert(addr);
}
}
let mut table = Table::new();
table.add_row(row![
"Address",
"Name",
"pid",
"ppid",
"PoolTagScan",
"ActiveProcessHead",
"KiProcessListHead",
"HandleTableList",
"ThreadScan"
]);
for p in &unique_process {
let addr = p.to_string();
let v = get_from_list(&addr, &activehead).unwrap_or_default();
table.add_row(row![
&addr,
v["name"].as_str().unwrap_or("(??)"),
v["pid"].as_i64().unwrap_or(-1),
v["ppid"].as_i64().unwrap_or(-1),
process_in_list(&addr, &process_scan),
process_in_list(&addr, &activehead),
process_in_list(&addr, &kiprocesslist),
process_in_list(&addr, &handletable),
process_in_list_thread(&addr, &thread_scan)
]);
}
table.printstd();
// for r in process_scan.iter() {
// println!("{:#}", r.to_string());
// }
println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
Ok(())
}

0
src/bin/thread_scan.rs → src/bin/ethread_scan.rs
View File

70
src/object.rs
View File

@ -80,6 +80,61 @@ pub fn make_ethread(d: &DriverState, a: &Address) -> BoxResult<Value> {
// let exittime: u64 = d.decompose(a, "_ETHREAD.ExitTime")?;
let pid: u64 = d.decompose(a, "_ETHREAD.Cid.UniqueProcess")?;
let tid: u64 = d.decompose(a, "_ETHREAD.Cid.UniqueThread")?;
let eprocess: u64 = d.decompose(a, "_ETHREAD.Tcb.Process")?;
let flags: u32 = d.decompose(a, "_ETHREAD.CrossThreadFlags")?;
let state = match d.decompose::<u8>(a, "_ETHREAD.Tcb.State")? {
0 => "Initialized",
1 => "Ready",
2 => "Running",
3 => "Standby",
4 => "Terminated",
5 => "Waiting",
6 => "Transition",
7 => "DeferredReady",
8 => "GateWait",
_ => "Unknown",
};
let wait = match d.decompose::<u8>(a, "_ETHREAD.Tcb.WaitReason")? {
0 => "Executive",
1 => "FreePage",
2 => "PageIn",
3 => "PoolAllocation",
4 => "DelayExecution",
5 => "Suspended",
6 => "UserRequest",
7 => "WrExecutive",
8 => "WrFreePage",
9 => "WrPageIn",
10 => "WrPoolAllocation",
11 => "WrDelayExecution",
12 => "WrSuspended",
13 => "WrUserRequest",
14 => "WrEventPair",
15 => "WrQueue",
16 => "WrLpcReceive",
17 => "WrLpcReply",
18 => "WrVirtualMemory",
19 => "WrPageOut",
20 => "WrRendezvous",
21 => "Spare2",
22 => "Spare3",
23 => "Spare4",
24 => "Spare5",
25 => "Spare6",
26 => "WrKernel",
27 => "WrResource",
28 => "WrPushLock",
29 => "WrMutex",
30 => "WrQuantumEnd",
31 => "WrDispatchInt",
32 => "WrPreempted",
33 => "WrYieldExecution",
34 => "WrFastMutex",
35 => "WrGuardedMutex",
36 => "WrRundown",
37 => "MaximumWaitReason",
_ => "Unknown",
};
let name_ptr: u64 = d.address_of(a, "_ETHREAD.ThreadName").unwrap_or(0); // ThreadName is after Windows 10 Anniversary
let thread_name = if let Ok(name) = d.get_unicode_string(name_ptr) {
@ -97,6 +152,21 @@ pub fn make_ethread(d: &DriverState, a: &Address) -> BoxResult<Value> {
"tid": tid,
"pid": pid,
"name": thread_name,
"eprocess": format!("0x{:x}", eprocess),
"state": state,
"wait_reason": wait,
"flags": {
"raw": format!("0x{:x}", flags),
"PS_CROSS_THREAD_FLAGS_TERMINATED": flags & 1 != 0,
"PS_CROSS_THREAD_FLAGS_DEADTHREAD": flags & 2 != 0,
"PS_CROSS_THREAD_FLAGS_HIDEFROMDBG": flags & 3 != 0,
"PS_CROSS_THREAD_FLAGS_IMPERSONATING": flags & 4 != 0,
"PS_CROSS_THREAD_FLAGS_SYSTEM": flags & 5 != 0,
"PS_CROSS_THREAD_FLAGS_HARD_ERRORS_DISABLED": flags & 6 != 0,
"PS_CROSS_THREAD_FLAGS_BREAK_ON_TERMINATION": flags & 7 != 0,
"PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG": flags & 8 != 0,
"PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG": flags & 9 != 0,
},
// "createtime": {
// "unix": c_t.timestamp(),
// "rfc2822": c_t.to_rfc2822()