Manko Posted February 23, 2009 Author Share Posted February 23, 2009 Great Program Manko and i used some function of it in my Task ManagerThanks, Daywalkereg!If you need anything, don't hesitate to ask! (Like explanations of my messy code...)/Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
ptrex Posted February 24, 2009 Share Posted February 24, 2009 (edited) @MankoIndead a great application !! But 1 thing missing, a search function. To search on any of the columns for a specific DLL, PID, Description, ....Using the Example here : _GUICtrlListView_FindTextRegards,ptrex Edited February 24, 2009 by ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
Manko Posted February 24, 2009 Author Share Posted February 24, 2009 @Manko Indead a great application !! But 1 thing missing, a search function. To search on any of the columns for a specific DLL, PID, Description, ....Thanks, Ptrex! This it? Update in first post. Most Recent changes... ; 0.18_23 ; Added: Searchfunction, as sugested by ptrex. ; Change: Slight rewrite of module enumeration... ; Fixed: Tooltip not working in non-indented display... now it does... ; Fixed: Forgot to erase old modules on rescan, producing doubles... ; 0.18_22 ; Added: Show processorload... Realised I was always checking with another taskmanager... /Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
Flamingwolf Posted February 25, 2009 Share Posted February 25, 2009 This is amazing.... I wish I could code like this. o.o Link to comment Share on other sites More sharing options...
Manko Posted February 25, 2009 Author Share Posted February 25, 2009 This is amazing.... I wish I could code like this. o.o Thanks! With practice, we all get better. But my impatience and love of shortcuts is perhaps not to be wished for, sometimes... Just broke some important functions... UPDATE! ; 0.18_24 ; Added: Listviews will scroll to last found items in listview when searching, especially important if there's only one hit somewhere FAAAR down... ; Fixed: Stupidly destroyed searchbox twice, makeing it impossible to use button "selection" and "listall". Extremely irritating! UPDATE in first post! I hope to not be hogging forum space correcting stupid misstakes for a while... hrm... /Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
ptrex Posted February 27, 2009 Share Posted February 27, 2009 @Manko Just did some tests. This perfect !! Thanks a lot for hearing my request. I hope I helps you as well. regards, ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
Manko Posted March 1, 2009 Author Share Posted March 1, 2009 @MankoJust did some tests.This perfect !! Thanks a lot for hearing my request. I hope I helps you as well.regards,ptrexThanks, ptrex!Yeah, now that I've tried this feature out, I quite like it! Good potential for further singling out instances, both in straight and inverted use.Thanks again for the suggestion!/Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
Hammerfist Posted May 20, 2009 Share Posted May 20, 2009 @Manko Great application! Thanks for a nice idea. I think you have missed one thing. Can you create sorta like a "context menu" for your list of modules and processes containing the "unload", "kill" actions or another? My topics:<<<< Project ECO Helper >>>><<<< _ReduceMemory GUI >>>> Link to comment Share on other sites More sharing options...
FireFox Posted May 21, 2009 Share Posted May 21, 2009 @Manko Why not adding a function for inject dlls ? Cheers, FireFox. Link to comment Share on other sites More sharing options...
Manko Posted May 24, 2009 Author Share Posted May 24, 2009 (edited) Great application! Thanks for a nice idea. I think you have missed one thing. Can you create sorta like a "context menu" for your list of modules and processes containing the "unload", "kill" actions or another?@HammerfistThanks!Actually, I have added code for that in the version I use/develop right now. But since I added some new functions without fully implementing them and since I'm dug down in developing furter one particular function, the app is really in quite an uglier state at the moment.Though, I guess I might release it as is, just to see if someone comments...@FIREFOXWraithdu has done much on injecting dlls... He made an app that was somewhat similar to mine at that time, that also injected.Me, I don't see any reason why my app should do it. As I'm qurious... What would you use it for, exactly?/Manko Edited May 24, 2009 by Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
trancexx Posted June 3, 2009 Share Posted June 3, 2009 You have done really huge work here Manko. Admirable. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Manko Posted June 27, 2009 Author Share Posted June 27, 2009 You have done really huge work here Manko. Admirable.Thanks, trancexx! Update! ; 0.18_46 ; Fixed: Putting a short sleep in the messageloop got rid of the insane CPU-usage I got moving the mouse around in the GUI, with no aparent adverse effects. Why dint I do it before??? ; Fixed: Renamed some variables to not conflict. (Messageloop vs. Adlib...) (Array out of bounds - crash) ; Fixed: Lost name of drivers in display of SSDT-hooks sometimes. Troubles with logic between hex and int... Solved! ; Fixed: Another conflict between adlib and Messageloop, during Suspendall-state, sometimes when displaying drivers/threads/SSDT... Fixed! (Array out of bounds - crash) Download in first post! /Manko [Edit: New version. Posts moved together.] Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
trancexx Posted June 27, 2009 Share Posted June 27, 2009 You think you could list mutexes as well?Look here for the needs of some. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Manko Posted July 5, 2009 Author Share Posted July 5, 2009 (edited) ; 0.18_47 ; Added: Sanitize and kill - Upped by new trick for killing... ; Fixed: By copying the kernelfile I get the access I need to play with uninitialized kernel even on some restricted Vista systems... ; ...... (It would not even let me open file and since my window is topmost, alert got placed behind it. Irritating!) ; Fixed: Messageboxes are now topmost! Update in first post! You think you could list mutexes as well? Look here for the needs of some. This unfinished code lists "user objects and handles", mutexes among them... Driver code is needed to better handle "named pipes". ...am researching.... Sorry bout the delay! Other stuff happening in life... expandcollapse popup#include <WinAPI.au3> ; _GetPrivilege_SEDEBUG() - by wraithdu - uses this include. #include <array.au3> ; Needed to display array in example. #RequireAdmin ; SystemHandleInformation = 16 ;~ typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { ;~ USHORT UniqueProcessId; ;~ USHORT CreatorBackTraceIndex; ;~ UCHAR ObjectTypeIndex; ;~ UCHAR HandleAttributes; ;~ USHORT HandleValue; ;~ PVOID Object; ;~ ULONG GrantedAccess; ;~ } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; ;~ typedef struct _SYSTEM_HANDLE_INFORMATION { ;~ ULONG NumberOfHandles; ;~ SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ]; ;~ } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; ;~ BOOL DuplicateHandle( ;~ HANDLE hSourceProcessHandle, // handle to process with handle to duplicate OpenProcess PROCESS_DUP_HANDLE ;~ HANDLE hSourceHandle, // handle to duplicate ;~ HANDLE hTargetProcessHandle, // handle to process to duplicate to GetCurrentProcess PROCESS_DUP_HANDLE ;~ LPHANDLE lpTargetHandle, // pointer to duplicate handle ;~ DWORD dwDesiredAccess, // access for duplicate handle 0 ;~ BOOL bInheritHandle, // handle inheritance flag 0 ;~ DWORD dwOptions // optional actions const $DUPLICATE_SAME_ACCESS = 0x2 ;~ ); ;~ NtQueryObject( ;~ IN HANDLE ObjectHandle, ;~ IN OBJECT_INFORMATION_CLASS ObjectInformationClass, ObjectTypeInformation = 2 , ObjectNameInformation=1 ;~ OUT PVOID ObjectInformation, ;~ IN ULONG Length, ;~ OUT PULONG ResultLength ); ;~ $tag_OBJECT_TYPE= ;~ "ushort Length;" & _ ;~ "ushort MaximumLength;" & _ ;~ "ptr ProcessName;" & _ ;~ "byte[512]" $tag_SYSTEM_HANDLE_INFO= _ "USHORT UniqueProcessId;" & _; "USHORT CreatorBackTraceIndex;" & _; "ubyte ObjectTypeIndex;" & _; "ubyte HandleAttributes;" & _; "USHORT HandleValue;" & _; "ptr Object;" & _; "ptr GrantedAccess"; $tag_OBJECT_TYPE= _ ; TYPE / NAME Doesnt matter... I just want the unicodestring. "ushort Length;" & _ "ushort MaximumLength;" & _ "ptr Name;" & _ "byte[512]" ; ############# Needed Constants ################### Global Const $PROCESS_VM_READ=0x10 Global Const $PROCESS_QUERY_INFORMATION = 0x400 ; ############ Example code ####################### _GetPrivilege_SEDEBUG() $temp=_Handles() _ArrayDisplay($temp) ; ############################################### ; ############ Here be func! #################### Func _Handles() Local $times[10] Local $Mem=DllStructCreate("byte[" & 40000000 & "]") Local $ret=dllcall("ntdll.dll", "int", "ZwQuerySystemInformation","int", 16, "ptr", DllStructGetPtr($MEM), "int", DllStructGetSize($MEM), "int*",0) Local $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $ret[2]+4) Local $dw=DllStructCreate("dword",$ret[2]) Local $Count=DllStructGetData($dw,1) Local $SysHnd_ptr=$ret[2]+4 Local $SysHnd_Size=DllStructGetSize($SysHnd) Local $buffer, $i=0, $lastthread, $m=0, $NextEntryDelta, $k, $temp, $space, $l Local $avArray[1000000][10] Const $PROCESS_DUP_HANDLE = 0x40 const $DUPLICATE_SAME_ACCESS = 0x2 Local $types[40] Local $ObjType=DllStructCreate($tag_OBJECT_TYPE) While 1 if $m=$count Then ExitLoop $avArray[$i][0]=DllStructGetData($SysHnd, "UniqueProcessId") $avArray[$i][1]=DllStructGetData($SysHnd, "CreatorBackTraceIndex") if not $avArray[$i][1] Then $avArray[$i][1]="" $avArray[$i][2]=DllStructGetData($SysHnd, "ObjectTypeIndex") $avArray[$i][3]=DllStructGetData($SysHnd, "HandleAttributes") if not $avArray[$i][3] Then $avArray[$i][3]="" $avArray[$i][4]=ptr(DllStructGetData($SysHnd, "HandleValue")) $avArray[$i][5]=DllStructGetData($SysHnd, "Object") $avArray[$i][6]=DllStructGetData($SysHnd, "GrantedAccess") $hProcSource=_WinAPI_OpenProcess(0x1f0fff, 0, $avarray[$i][0]) $hProcDest=_WinAPI_OpenProcess(0x1f0fff, 0, @AutoItPID) $ret=dllcall("kernel32.dll","int","DuplicateHandle","hwnd", $hProcSource, "hwnd", $avarray[$i][4], "hwnd", $hProcDest, _ "hwnd*", 0, "int",0, "int", 0, "int", $DUPLICATE_SAME_ACCESS) $avArray[$i][7]=$ret[4] if not $types[$avArray[$i][2]] Then dllcall("ntdll.dll", "int", "NtQueryObject", "hwnd", $ret[4], "int", 2, "ptr", dllstructgetptr($ObjType, 1), _ "int" ,DllStructGetSize($ObjType), "int*", 0) $buffer=DllStructCreate("wchar[256]", DllStructGetData($ObjType, "Name")) $avArray[$i][8]=DllStructGetData($buffer, 1) $types[$avArray[$i][2]]=$avArray[$i][8] Else $avArray[$i][8]=$types[$avArray[$i][2]] EndIf ; Try to filter out NAMED PIPES to not deadlock. Writing a driver to get names would be best. I'm researching... if $avArray[$i][2]=28 Then if $avArray[$i][6]=0x00120189 Then $avArray[$i][9]=" NAMED PIPES ??? - DANGER OF DEADLOCK - SKIPPED ..." $m+=1 $i+=1 $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m) Continueloop EndIf if $avArray[$i][6]=0x00100000 Then $avArray[$i][9]=" NAMED PIPES ??? - DANGER OF DEADLOCK - SKIPPED ..." $m+=1 $i+=1 $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m) Continueloop EndIf if $avArray[$i][6]=0x0012019F Then if $avArray[$i][3]<2 Then $avArray[$i][9]=" NAMED PIPES ??? - DANGER OF DEADLOCK - SKIPPED ..." $m+=1 $i+=1 $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m) Continueloop EndIf EndIf EndIf ;~ if $avArray[$i][0]<>1452 Then ; single out one PID ;~ $m+=1 ;~ ;$i+=1 ;~ $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m) ;~ Continueloop ;~ EndIf ; Still checking which accesrights deadlock - Consolewrite... ConsoleWrite($avArray[$i][6] & " " & $avArray[$i][2] & " " & $avArray[$i][0] & $avArray[$i][8] & " " & @LF) Switch $avArray[$i][2] Case 5 $ret1=dllcall("kernel32.dll", "int", "GetProcessId", "hwnd", $ret[4]) $avArray[$i][9]=$ret1[0] Case Else if not $avArray[$i][9] Then $ObjType=DllStructCreate($tag_OBJECT_TYPE) dllcall("ntdll.dll", "int", "NtQueryObject", "hwnd", $ret[4], "int", 1, "ptr", dllstructgetptr($ObjType, 1), _ "int" ,DllStructGetSize($ObjType), "int*", 0) $buffer=DllStructCreate("wchar[256]", DllStructGetData($ObjType, "Name")) $avArray[$i][9]=DllStructGetData($buffer, 1) if not $avArray[$i][9] Then $avArray[$i][9]="" EndIf EndSwitch _WinAPI_CloseHandle($hProcSource) _WinAPI_CloseHandle($hProcDest) $i+=1 $m+=1 $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m) ContinueLoop WEnd Redim $avArray[$i][10] Return $avArray EndFunc ; ####################### ; ####################### Thanks to wraithdu! Func _GetPrivilege_SEDEBUG() Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes" Local $count = 1 Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct Local $TOKEN_ADJUST_PRIVILEGES = 0x20 Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "") Local $hToken = $call[3] $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "") ;msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage()) Local $iLuid = $call[3] Local $TP = DllStructCreate($tagTOKENPRIVILEGES) Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB")) DllStructSetData($TP, "PrivilegeCount", $count) DllStructSetData($LUID, "Luid", $iLuid) DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED) $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0)) Return ($call[0] <> 0) ; $call[0] <> 0 is success EndFunc ;==>_GetPrivilege_SEDEBUG /Manko [EDIT: Bugfix of examplecode!] Edited July 6, 2009 by Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
trancexx Posted July 6, 2009 Share Posted July 6, 2009 Excellent. What's the worst that could happen if I would use kernel mode functions from user mode? (I'm aware of restrictions with available space, but let's say I won't be braking that) I'm actually asking what do I need to do to execute privileged instruction without the use of some driver? ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Manko Posted July 6, 2009 Author Share Posted July 6, 2009 Excellent.What's the worst that could happen if I would use kernel mode functions from user mode? (I'm aware of restrictions with available space, but let's say I won't be braking that)I'm actually asking what do I need to do to execute privileged instruction without the use of some driver?I'm not altogether sure about these things, since I'm quite new with driver-developing......but, from usermode we don't have access to kernelspace which makes it impossible to have straight access to kernelmode only structures... ...there are intermediary functions that work in both evironments but often does not reveal all info in userspace...In this particular case though... Trying to ask for the name of a "named pipe" in "sync-mode" locks my process endefinitely... Or till the app that opened it thus, is closed. (Haven't tested, just been told...)(In kernel I cold just work on the object, unrestricted, instead of getting stumped by access conditions of the handle... sortof...)Do you have an example of what you would like to do? Might be easier to answer... (...or not...) PS. Updated examplecode as I had a few stupid misstakes in there... DS./Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
trancexx Posted July 6, 2009 Share Posted July 6, 2009 (edited) Do you have an example of what you would like to do? Might be easier to answer... /MankoRead bios cmos.That is saying access ports 112 and 113. Normally without the driver I'm not allowed. But since nothing is impossible...edit: been working on both Edited July 6, 2009 by trancexx ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
wraithdu Posted July 6, 2009 Share Posted July 6, 2009 @Manko I rewrote my GetPrivilege function a little, and closed a handle that was mistakenly left open. Here ya go: expandcollapse popup; #FUNCTION# ;=============================================================================== ; ; Name...........: _GetPrivilege_SEDEBUG ; Description ...: Obtains the SE_DEBUG privilege for the running process ; Syntax.........: _GetPrivilege_SEDEBUG() ; Parameters ....: ; Return values .: Success - Returns True ; Failure - Returns False ; Author ........: Erik Pilsits ; Modified.......: ; Remarks .......: ; Related .......: ; Link ..........; ; Example .......; ; ; ;========================================================================================== Func _GetPrivilege_SEDEBUG() Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes" Local $count = 1 Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct Local $TOKEN_ADJUST_PRIVILEGES = 0x20 Local $SE_PRIVILEGE_ENABLED = 0x2 Local $curProc = DllCall("kernel32.dll", "ptr", "GetCurrentProcess") Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", $curProc[0], "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "") If Not $call[0] Then Return False Local $hToken = $call[3] $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", "SeDebugPrivilege", "int64*", "") Local $iLuid = $call[3] Local $TP = DllStructCreate($tagTOKENPRIVILEGES) Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB")) DllStructSetData($TP, "PrivilegeCount", $count) DllStructSetData($LUID, "Luid", $iLuid) DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED) $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", 0, "ptr", 0) DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken) Return ($call[0] <> 0) ; $call[0] <> 0 is success EndFunc ;==>_GetPrivilege_SEDEBUG Link to comment Share on other sites More sharing options...
trancexx Posted July 6, 2009 Share Posted July 6, 2009 @Manko I rewrote my GetPrivilege function a little, and closed a handle that was mistakenly left open. Here ya go: expandcollapse popup; #FUNCTION# ;=============================================================================== ; ; Name...........: _GetPrivilege_SEDEBUG ; Description ...: Obtains the SE_DEBUG privilege for the running process ; Syntax.........: _GetPrivilege_SEDEBUG() ; Parameters ....: ; Return values .: Success - Returns True ; Failure - Returns False ; Author ........: Erik Pilsits ; Modified.......: ; Remarks .......: ; Related .......: ; Link ..........; ; Example .......; ; ; ;========================================================================================== Func _GetPrivilege_SEDEBUG() Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes" Local $count = 1 Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct Local $TOKEN_ADJUST_PRIVILEGES = 0x20 Local $SE_PRIVILEGE_ENABLED = 0x2 Local $curProc = DllCall("kernel32.dll", "ptr", "GetCurrentProcess") Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", $curProc[0], "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "") If Not $call[0] Then Return False Local $hToken = $call[3] $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", "SeDebugPrivilege", "int64*", "") Local $iLuid = $call[3] Local $TP = DllStructCreate($tagTOKENPRIVILEGES) Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB")) DllStructSetData($TP, "PrivilegeCount", $count) DllStructSetData($LUID, "Luid", $iLuid) DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED) $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", 0, "ptr", 0) DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken) Return ($call[0] <> 0) ; $call[0] <> 0 is success EndFunc ;==>_GetPrivilege_SEDEBUGLet's say DllCall() function fails for some, any reason. What happens? AutoIt is specific. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Ascend4nt Posted July 7, 2009 Share Posted July 7, 2009 (edited) Manko, my man! wassap hey, I just tried to destroy a crashed app with your 'Sanitize and kill' function and guess what? ProDLL'er killed itself! I thought for sure it was supposed to kill the process! Anyway, I'm still confused by all those buttons with limited descriptions - but wasn't there a way to detect if a process was locked up/frozen/crashed? Btw, I'm trying with my 'Full-Screen Crash Recovery' program to terminate the app - but 'WinGetProcess' and the API call 'GetWindowThreadProcessId' that it uses (I assume) both return the Explorer.exe Process ID for a frozen/crashed app! Dang.. I'm really getting frustrated here trying to figure out how to close the right process.. On the plus side, remember 'IsHungAppWindow'? It actually returns True for these crashed windows! So there's one plus.. now to find the process ID and terminate it.. *edit: I got it all figured out.. turns out, even though explorer.exe was returned for the crashed apps, explorer.exe was in fact crashed as well! Once it was terminated, WinGetProcess() returned the correct process ID. But termination was impossible at that point. Luckily the windows disappeared from the screen, so I can still consider the Full-Screen Crash Recovery program a success! Now to upload the new version.. Edited July 7, 2009 by ascendant My contributions: Performance Counters in Windows - Measure CPU, Disk, Network etc Performance | Network Interface Info, Statistics, and Traffic | CPU Multi-Processor Usage w/o Performance Counters | Disk and Device Read/Write Statistics | Atom Table Functions | Process, Thread, & DLL Functions UDFs |Â Process CPU Usage Trackers | PE File Overlay Extraction | A3X Script Extract | File + Process Imports/Exports Information | Windows Desktop Dimmer Shade | Spotlight + Focus GUI - Highlight and Dim for Eyestrain Relief | CrossHairs (FullScreen) |Â Rubber-Band Boxes using GUI's (_GUIBox) | GUI Fun! | IE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) | Magnifier (Vista+) Functions UDF | _DLLStructDisplay (Debug!) | _EnumChildWindows (controls etc) | _FileFindEx | _ClipGetHTML | _ClipPutHTML + ClipPutHyperlink | _FileGetShortcutEx | _FilePropertiesDialog | I/O Port Functions | File(s) Drag & Drop | _RunWithReducedPrivileges | _ShellExecuteWithReducedPrivileges | _WinAPI_GetSystemInfo | dotNETGetVersions | Drive(s) Power Status | _WinGetDesktopHandle | _StringParseParameters | Screensaver, Sleep, Desktop Lock Disable | Full-Screen Crash Recovery Wrappers/Modifications of others' contributions: _DOSWildcardsToPCRegEx (original code: RobSaunder's) | WinGetAltTabWinList (original: Authenticity) UDF's added support/programming to: _ExplorerWinGetSelectedItems | MIDIEx UDF (original code: eynstyne) (All personal code/wrappers centrally located at Ascend4nt's AutoIT Code) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now