Add WinAPI Process Enumaration and module info

Thanks sig. Seriously.
See notice.txt
master
Marenthyu 5 years ago
parent 4abff96fa3
commit 1708e8575e
  1. 6
      src/de/marenthyu/memedit/bunny/BunnyMemoryManager.java
  2. 40
      src/de/marenthyu/memedit/util/Shared.java
  3. 64
      src/de/marenthyu/memedit/util/sig/Module.java
  4. 57
      src/de/marenthyu/memedit/util/sig/Psapi.java
  5. 104
      src/de/marenthyu/memedit/util/sig/PsapiTools.java
  6. 3
      src/de/marenthyu/memedit/util/sig/notice.txt

@ -20,19 +20,19 @@ public class BunnyMemoryManager {
public static void init() { public static void init() {
bunnyPID = getProcessId(RABI_TITLE); bunnyPID = getProcessIdByWindowTitle(RABI_TITLE);
System.out.println("[BUNNY] Bunny PID: " + bunnyPID); System.out.println("[BUNNY] Bunny PID: " + bunnyPID);
bunnyProcess = openProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, bunnyPID); bunnyProcess = openProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, bunnyPID);
try { try {
RABI_BASE_SIZE = getBaseAddress("rabiribi.exe"); RABI_BASE_SIZE = getBaseAddress("rabiribi.exe");
if (RABI_BASE_SIZE == 0) { if (RABI_BASE_SIZE == 0) {
throw new IOException("Invalid Size Returned from Powershell"); throw new IOException("Invalid Size Returned from Base Address Detection");
} }
} catch (NumberFormatException | IOException e) { } catch (NumberFormatException | IOException e) {
// e.printStackTrace(); // e.printStackTrace();
System.out.println(); System.out.println();
System.out.println("[BUNNY] Error getting the Module base address automatically, asking user."); System.out.println("[BUNNY] Error getting the Module base address automatically, asking user.");
String userInput = JOptionPane.showInputDialog("Please Enter the base address of rabiribi.exe\n If you dare, please help me automate this. I am at the end of my knowledge. If you don't know how to do this, ask whoever linked you this software."); String userInput = JOptionPane.showInputDialog("Please Enter the base address of rabiribi.exe\n Too bad this failed. Thanks sig for the actual implementation that works most of the time. If you don't know how to do this, ask whoever linked you this software.");
try { try {
RABI_BASE_SIZE = Integer.decode(userInput); RABI_BASE_SIZE = Integer.decode(userInput);
} catch (Exception y) { } catch (Exception y) {

@ -3,27 +3,34 @@ package de.marenthyu.memedit.util;
import com.sun.jna.Memory; import com.sun.jna.Memory;
import com.sun.jna.Native; import com.sun.jna.Native;
import com.sun.jna.Pointer; import com.sun.jna.Pointer;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.ptr.IntByReference; import com.sun.jna.ptr.IntByReference;
import de.marenthyu.memedit.util.sig.Module;
import de.marenthyu.memedit.util.sig.PsapiTools;
import java.io.BufferedReader; import java.io.BufferedReader;
import java.io.IOException; import java.io.IOException;
import java.io.InputStreamReader; import java.io.InputStreamReader;
import java.util.List;
public class Shared { public class Shared {
static Kernel32 kernel32 = Native.load("kernel32", Kernel32.class); static Kernel32 kernel32 = Native.load("kernel32", Kernel32.class);
static User32 user32 = Native.load("user32", User32.class); static User32 user32 = Native.load("user32", User32.class);
final static int PROCESS_PERMISSIONS = WinNT.PROCESS_QUERY_INFORMATION | WinNT.PROCESS_VM_READ;
public static int PROCESS_VM_READ = 0x0010; public static int PROCESS_VM_READ = 0x0010;
public static int PROCESS_VM_WRITE = 0x0020; public static int PROCESS_VM_WRITE = 0x0020;
public static int PROCESS_VM_OPERATION = 0x0008; public static int PROCESS_VM_OPERATION = 0x0008;
public static int getProcessId(String window) { public static int getProcessIdByWindowTitle(String window) {
IntByReference pid = new IntByReference(0); IntByReference pid = new IntByReference(0);
user32.GetWindowThreadProcessId(user32.FindWindowA(null, window), pid); user32.GetWindowThreadProcessId(user32.FindWindowA(null, window), pid);
return pid.getValue(); return pid.getValue();
} }
public static Pointer openProcess(int permissions, int pid) { public static Pointer openProcess(int permissions, int pid) {
Pointer process = kernel32.OpenProcess(permissions, true, pid); Pointer process = kernel32.OpenProcess(permissions, true, pid);
return process; return process;
@ -83,7 +90,36 @@ public class Shared {
}; };
} }
public static int getBaseAddress(String executableName) throws IOException { public static int getBaseAddress(String executableName) {
List<Integer> pids = null;
try {
pids = PsapiTools.getInstance().enumProcesses();
} catch (Exception e) {
e.printStackTrace();
return 0;
}
for (Integer pid : pids) {
WinNT.HANDLE process = com.sun.jna.platform.win32.Kernel32.INSTANCE.OpenProcess(PROCESS_PERMISSIONS, true, pid);
List<Module> hModules;
try {
hModules = PsapiTools.getInstance().EnumProcessModules(process);
for (Module m : hModules) {
//System.out.println(m.getFileName()+":"+m.getEntryPoint());
if (m.getFileName().contains(executableName)) {
return (int) Pointer.nativeValue(m.getLpBaseOfDll().getPointer());
}
}
} catch (Exception e) {
e.printStackTrace();
}
}
return 0;
}
@Deprecated
// Kept for historical reasons. Thanks sig.
public static int getBaseAddressPowerShell(String executableName) throws IOException {
String command = "powershell.exe \"$modules = Get-Process " + executableName.split("\\.")[0] + " -Module; $modules[0].BaseAddress;\""; String command = "powershell.exe \"$modules = Get-Process " + executableName.split("\\.")[0] + " -Module; $modules[0].BaseAddress;\"";
// Executing the command // Executing the command
Process powerShellProcess = Runtime.getRuntime().exec(command); Process powerShellProcess = Runtime.getRuntime().exec(command);

@ -0,0 +1,64 @@
package de.marenthyu.memedit.util.sig;
import com.sun.jna.platform.win32.WinDef.HMODULE;
import com.sun.jna.platform.win32.WinNT.HANDLE;
import de.marenthyu.memedit.util.sig.Psapi.LPMODULEINFO;
public class Module {
private HANDLE hProcess;
private HMODULE hModule;
private HANDLE lpBaseOfDll = null;
private int SizeOfImage = 0;
private HANDLE EntryPoint = null;
private PsapiTools psapi = PsapiTools.getInstance();
protected Module() {
}
public Module(HANDLE hProcess, HMODULE hModule) {
this.hProcess = hProcess;
this.hModule = hModule;
}
public HMODULE getPointer() {
return hModule;
}
public String getFileName() {
return psapi.GetModuleFileNameExA(hProcess, hModule);
}
public String getBaseName() {
return psapi.GetModuleBaseNameA(hProcess, hModule);
}
private void GetModuleInformation() {
if (lpBaseOfDll == null) {
try {
LPMODULEINFO x = psapi.GetModuleInformation(hProcess, hModule);
lpBaseOfDll = x.lpBaseOfDll;
SizeOfImage = x.SizeOfImage;
EntryPoint = x.EntryPoint;
} catch (Exception e) {
e.printStackTrace();
}
}
}
public HANDLE getLpBaseOfDll() {
GetModuleInformation();
return lpBaseOfDll;
}
public int getSizeOfImage() {
GetModuleInformation();
return SizeOfImage;
}
public HANDLE getEntryPoint() {
GetModuleInformation();
return EntryPoint;
}
}

@ -0,0 +1,57 @@
package de.marenthyu.memedit.util.sig;
import com.sun.jna.Native;
import com.sun.jna.Structure;
import com.sun.jna.platform.win32.WinDef.HMODULE;
import com.sun.jna.platform.win32.WinNT.HANDLE;
import com.sun.jna.ptr.IntByReference;
import com.sun.jna.win32.StdCallLibrary;
import java.util.Arrays;
import java.util.List;
public interface Psapi extends StdCallLibrary {
Psapi INSTANCE = Native.load("Psapi", Psapi.class);
/*
* http://msdn.microsoft.com/en-us/library/ms682629(VS.85).aspx
*/
boolean EnumProcesses(int[] pProcessIds, int cb, IntByReference pBytesReturned);
/*
* http://msdn.microsoft.com/en-us/library/ms682631(VS.85).aspx
*/
boolean EnumProcessModules(HANDLE hProcess, HMODULE[] lphModule, int cb, IntByReference lpcbNeededs);
boolean EnumProcessModulesEx(HANDLE hProcess, HMODULE[] lphModule, int cb, IntByReference lpcbNeededs, int flags);
/*
* http://msdn.microsoft.com/en-us/library/ms683198(VS.85).aspx
*/
int GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule, byte[] lpImageFileName, int nSize);
int GetModuleBaseNameA(HANDLE hProcess, HMODULE hModule, byte[] lpImageFileName, int nSize);
/*
* http://msdn.microsoft.com/en-us/library/ms684229(VS.85).aspx
*/
public static class LPMODULEINFO extends Structure {
public HANDLE lpBaseOfDll;
public int SizeOfImage;
public HANDLE EntryPoint;
@Override
protected List getFieldOrder() {
return Arrays.asList(new String[] { "lpBaseOfDll", "SizeOfImage", "EntryPoint"});
}
}
/*
* http://msdn.microsoft.com/en-us/library/ms683201(VS.85).aspx
*/
boolean GetModuleInformation(HANDLE hProcess, HMODULE hModule, LPMODULEINFO lpmodinfo, int cb);
}

@ -0,0 +1,104 @@
package de.marenthyu.memedit.util.sig;
import com.sun.jna.Native;
import com.sun.jna.platform.win32.Kernel32;
import com.sun.jna.platform.win32.WinDef.HMODULE;
import com.sun.jna.platform.win32.WinNT.HANDLE;
import com.sun.jna.ptr.IntByReference;
import de.marenthyu.memedit.util.sig.Psapi.LPMODULEINFO;
import java.util.LinkedList;
import java.util.List;
public class PsapiTools {
private static PsapiTools INSTANCE=null;
private static Psapi psapi = Psapi.INSTANCE;
private static Kernel32 k32 = Kernel32.INSTANCE;
private PsapiTools(){}
public static PsapiTools getInstance(){
if (INSTANCE==null)
INSTANCE=new PsapiTools();
return INSTANCE;
}
public List<Integer> enumProcesses() throws Exception{
List<Integer> list = new LinkedList<Integer>();
int[] pProcessIds = new int[1024];
IntByReference pBytesReturned = new IntByReference();
boolean success = psapi.EnumProcesses(pProcessIds, pProcessIds.length*Integer.SIZE/8, pBytesReturned);
if (!success){
int err=k32.GetLastError();
throw new Exception("EnumProcesses failed. Error: "+err);
}
int size = (pBytesReturned.getValue()/(Integer.SIZE/8));
for (int i=0;i<size;i++)
list.add(pProcessIds[i]);
return list;
}
public List<Module> EnumProcessModules(HANDLE hProcess) throws Exception{
List<Module> list = new LinkedList<Module>();
HMODULE[] lphModule = new HMODULE[1024];
IntByReference lpcbNeededs= new IntByReference();
boolean success = psapi.EnumProcessModules(hProcess, lphModule, lphModule.length, lpcbNeededs);
if (!success){
int err=k32.GetLastError();
if (err!=6 && err!=299) {
throw new Exception("EnumProcessModules failed. Error: "+err);
}
}
for (int i = 0; i < lpcbNeededs.getValue()/4; i++) {
list.add(new Module(hProcess, lphModule[i]));
}
return list;
}
public List<Module> EnumProcessModulesEx(HANDLE hProcess, int flags) throws Exception{
List<Module> list = new LinkedList<Module>();
HMODULE[] lphModule = new HMODULE[1024];
IntByReference lpcbNeededs= new IntByReference();
boolean success = psapi.EnumProcessModulesEx(hProcess, lphModule, lphModule.length, lpcbNeededs, flags);
if (!success){
int err=k32.GetLastError();
throw new Exception("EnumProcessModules failed. Error: "+err);
}
for (int i = 0; i < lpcbNeededs.getValue()/4; i++) {
list.add(new Module(hProcess, lphModule[i]));
}
return list;
}
public String GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule){
byte[] lpImageFileName= new byte[256];
psapi.GetModuleFileNameExA(hProcess, hModule, lpImageFileName, 256);
return Native.toString(lpImageFileName);
}
public String GetModuleBaseNameA(HANDLE hProcess, HMODULE hModule){
byte[] lpImageFileName= new byte[256];
psapi.GetModuleBaseNameA(hProcess, hModule, lpImageFileName, 256);
return Native.toString(lpImageFileName);
}
public LPMODULEINFO GetModuleInformation(HANDLE hProcess, HMODULE hModule) throws Exception{
LPMODULEINFO lpmodinfo = new LPMODULEINFO();
boolean success = psapi.GetModuleInformation(hProcess, hModule, lpmodinfo, lpmodinfo.size());
if (!success){
int err=k32.GetLastError();
throw new Exception("GetModuleInformation failed. Error: "+err);
}
return lpmodinfo;
}
}

@ -0,0 +1,3 @@
Thank you to https://github.com/sigonasr2/sigIRCv2 for providing the classes in this package.
No LICENSE was attached to the project at the time of writing. Credit to the original author.
Loading…
Cancel
Save