-
Notifications
You must be signed in to change notification settings - Fork 44
Expand file tree
/
Copy pathNtUtils.Processes.Create.Wer.pas
More file actions
315 lines (265 loc) · 8.73 KB
/
NtUtils.Processes.Create.Wer.pas
File metadata and controls
315 lines (265 loc) · 8.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
unit NtUtils.Processes.Create.Wer;
{
This module provides process creation methods via Windows Error Reporting ALPC
port communication.
}
interface
uses
Ntapi.ntseapi, NtUtils, NtUtils.Processes.Create;
// Create a new process via WER::NonElevatedProcessStart
[SupportedOption(spoParameters)]
function WerxExecuteNonElevated(
const Options: TCreateProcessOptions;
out Info: TProcessInfo
): TNtxStatus;
// Create a new process via a WER::SilentProcessExitReport trigger
[RequiresAdmin]
[SupportedOption(spoParameters)]
[SupportedOption(spoRequireElevation)]
function WerxExecuteSilentProcessExit(
const Options: TCreateProcessOptions;
out Info: TProcessInfo
): TNtxStatus;
implementation
uses
Ntapi.WinNt, Ntapi.ntstatus, Ntapi.ntdef, Ntapi.werscv, Ntapi.ntregapi,
Ntapi.ntpebteb, Ntapi.ntpsapi, NtUtils.Wer, NtUtils.Registry,
NtUtils.SysUtils, NtUtils.Synchronization;
{$BOOLEVAL OFF}
{$IFOPT R+}{$DEFINE R+}{$ENDIF}
{$IFOPT Q+}{$DEFINE Q+}{$ENDIF}
function WerxExecuteNonElevated;
var
hxWerMgr: IHandle;
begin
// We do get a handle for waiting on the worker WerMgr process, but not the
// target process info.
Info := Default(TProcessInfo);
// Send a request to WER
Result := WerxNonElevatedCommand(hxWerMgr, NonElevatedProcLaunchTypeOpen,
Options.ApplicationWin32, Options.CommandLine);
end;
const
WER_SILENT_PROCESS_EXIT_KEY = REG_PATH_MACHINE +
'\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit';
WER_SILENT_PROCESS_EXIT_MONITOR_PROCESS = 'MonitorProcess';
WER_SILENT_PROCESS_EXIT_REPORTING_MODE = 'ReportingMode';
WER_IFEO_KEY = REG_PATH_MACHINE +
'\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options';
WER_IFEO_GLOBAL_FLAGS = 'GlobalFlag';
// MSDN
LAUNCH_MONITORPROCESS = $01;
function WerxSetSilentProcessExitKey(
const ImageName: String;
const MonitorProcess: String;
out Reverter: IDeferredOperation
): TNtxStatus;
var
hxBaseKey, hxKey: IHandle;
BaseKeyDisposition, ImageKeyDisposition: TRegDisposition;
RestoreMonitorProcess, RestoreReportingMode: Boolean;
OldMonitorProcess, OldReportingMode: TNtxRegValue;
begin
// Create or open the silent process exit root key
Result := NtxCreateKey(
hxBaseKey,
WER_SILENT_PROCESS_EXIT_KEY,
KEY_CREATE_SUB_KEY or _DELETE,
REG_OPTION_VOLATILE,
nil,
'',
0,
@BaseKeyDisposition
);
if not Result.IsSuccess then
Exit;
// Create or open the application's silent process exit key
Result := NtxCreateKey(
hxKey,
ImageName,
KEY_QUERY_VALUE or KEY_SET_VALUE or _DELETE,
REG_OPTION_VOLATILE,
AttributeBuilder.UseRoot(hxBaseKey),
'',
0,
@ImageKeyDisposition
);
if not Result.IsSuccess then
Exit;
if ImageKeyDisposition = REG_OPENED_EXISTING_KEY then
begin
// Backup the previous monitor process value
Result := NtxQueryValueKey(hxKey, WER_SILENT_PROCESS_EXIT_MONITOR_PROCESS,
OldMonitorProcess);
RestoreReportingMode := Result.IsSuccess;
if Result.Status = STATUS_OBJECT_NAME_NOT_FOUND then
Result := NtxSuccess
else if not Result.IsSuccess then
Exit;
// Backup the previous reporting mode value
Result := NtxQueryValueKey(hxKey, WER_SILENT_PROCESS_EXIT_REPORTING_MODE,
OldReportingMode);
RestoreMonitorProcess := Result.IsSuccess;
if Result.Status = STATUS_OBJECT_NAME_NOT_FOUND then
Result := NtxSuccess
else if not Result.IsSuccess then
Exit;
end;
// Set the reporting mode
Result := NtxSetValueKeyUInt32(hxKey, WER_SILENT_PROCESS_EXIT_REPORTING_MODE,
LAUNCH_MONITORPROCESS);
if not Result.IsSuccess then
Exit;
// Set the monitor process
Result := NtxSetValueKeyString(hxKey, WER_SILENT_PROCESS_EXIT_MONITOR_PROCESS,
MonitorProcess);
if not Result.IsSuccess then
Exit;
// Prepare an undo operation
Reverter := Auto.Defer(
procedure
begin
case ImageKeyDisposition of
REG_CREATED_NEW_KEY:
begin
// Undo image key creation
NtxDeleteKey(hxKey);
hxKey := nil;
// Undo base key creation
if BaseKeyDisposition = REG_CREATED_NEW_KEY then
NtxDeleteKey(hxBaseKey);
end;
REG_OPENED_EXISTING_KEY:
begin
// Undo monitor process modification
if RestoreMonitorProcess then
NtxSetValueKey(hxKey, WER_SILENT_PROCESS_EXIT_MONITOR_PROCESS,
OldMonitorProcess.ValueType,
OldMonitorProcess.Data.Data,
OldMonitorProcess.Data.Size
)
else
NtxDeleteValueKey(hxKey, WER_SILENT_PROCESS_EXIT_MONITOR_PROCESS);
// Undo reporting mode modification
if RestoreReportingMode then
NtxSetValueKey(hxKey, WER_SILENT_PROCESS_EXIT_REPORTING_MODE,
OldReportingMode.ValueType,
OldReportingMode.Data.Data,
OldReportingMode.Data.Size
)
else
NtxDeleteValueKey(hxKey, WER_SILENT_PROCESS_EXIT_REPORTING_MODE);
end;
end;
end
);
end;
function WerxSetIFEOGlobalFlags(
const ImageName: String;
Value: TNtGlobalFlags;
out Reverter: IDeferredOperation
): TNtxStatus;
var
hxKey: IHandle;
Disposition: TRegDisposition;
RestoreGlobalFlags: Boolean;
OldGlobalFlags: TNtxRegValue;
begin
// Create or open the application's IFEO key
Result := NtxCreateKey(
hxKey,
RtlxCombinePaths(WER_IFEO_KEY, ImageName),
KEY_QUERY_VALUE or KEY_SET_VALUE or _DELETE,
REG_OPTION_VOLATILE,
nil,
'',
0,
@Disposition
);
if not Result.IsSuccess then
Exit;
if Disposition = REG_OPENED_EXISTING_KEY then
begin
// Backup the previous monitor process value
Result := NtxQueryValueKey(hxKey, WER_IFEO_GLOBAL_FLAGS, OldGlobalFlags);
RestoreGlobalFlags := Result.IsSuccess;
if Result.Status = STATUS_OBJECT_NAME_NOT_FOUND then
Result := NtxSuccess
else if not Result.IsSuccess then
Exit;
end;
// Set the global flags
Result := NtxSetValueKeyUInt32(hxKey, WER_IFEO_GLOBAL_FLAGS, Value);
if not Result.IsSuccess then
Exit;
// Prepare an undo operation
Reverter := Auto.Defer(
procedure
begin
case Disposition of
REG_CREATED_NEW_KEY:
// Undo creation
NtxDeleteKey(hxKey);
REG_OPENED_EXISTING_KEY:
begin
// Undo global flags modification
if RestoreGlobalFlags then
NtxSetValueKey(hxKey, WER_IFEO_GLOBAL_FLAGS,
OldGlobalFlags.ValueType,
OldGlobalFlags.Data.Data,
OldGlobalFlags.Data.Size
)
else
NtxDeleteValueKey(hxKey, WER_IFEO_GLOBAL_FLAGS);
end;
end;
end
);
end;
function WerxExecuteSilentProcessExit;
var
ImageName: String;
SilentProcessExitKeyReverter: IDeferredOperation;
IFEOGlobalFlagsReverter: IDeferredOperation;
hxCrashReportingProcess: IHandle;
begin
// We do get a handle for waiting on the worker WerFault process, but not the
// target process info.
Info := Default(TProcessInfo);
ImageName := RtlxExtractNamePath(ParamStr(0));
// Set the target command line as the silent process exit monitor process on
// our own executable
Result := WerxSetSilentProcessExitKey(ImageName, Options.CommandLine,
SilentProcessExitKeyReverter);
if not Result.IsSuccess then
Exit;
// Set the global flag in our IFEO to enable silent process exit monitoring
Result := WerxSetIFEOGlobalFlags(ImageName, FLG_MONITOR_SILENT_PROCESS_EXIT,
IFEOGlobalFlagsReverter);
if not Result.IsSuccess then
Exit;
// Send a message to WER reporting silent process exit of our process
if not (poRequireElevation in Options.Flags) then
// Either via the silent process exit ALPC message
Result := WerxReportSilentProcessExit(hxCrashReportingProcess,
NtCurrentThreadId, NtCurrentProcessId, NtCurrentProcessId, STATUS_SUCCESS)
else
// Or via the elevated command ALPC message
Result := WerxElevatedCommand(hxCrashReportingProcess,
RtlxFormatString('-s -t %u -i %u -e %u -c %u', [
TThreadId32(NtCurrentThreadId), TProcessId32(NtCurrentProcessId),
TProcessId32(NtCurrentProcessId), NTSTATUS(STATUS_SUCCESS)
]));
if not Result.IsSuccess then
Exit;
// The crash reporting process waits on the monitor process, meaning it can
// take long to complete. We cannot wait on it indefinitely (if we don't want
// to hang) but, unfortunately, we do need to wait at least a bit since we
// don't want to remove the silent process exit trigger from the registry
// before WerFault has a chance to read it.
Result := NtxWaitForSingleObject(hxCrashReportingProcess, 1500 * MILLISEC);
// Undo registry modifications
IFEOGlobalFlagsReverter := nil;
SilentProcessExitKeyReverter := nil;
end;
end.