Skip to content

Commit d3d96f0

Browse files
feat: Make Process: entry display the window title of the target process instead
1 parent 6feabdd commit d3d96f0

1 file changed

Lines changed: 360 additions & 0 deletions

File tree

main.cpp

Lines changed: 360 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1513,6 +1513,354 @@ return WideToString(stringBuffer);
15131513
#endif
15141514
}
15151515

1516+
/* another massive block
1517+
2453128674613097462347362402316408372462317652378652397816478164234
1518+
4237842134623140236403264236492173643219462193487621394612983746973424
1519+
242347623947623987462378462398746239187463298746987462398764728936428379462
1520+
248764923864698723498237698327649823764879264928736482379642713642]
1521+
1522+
33424234234
1523+
234234234
1524+
231423423
1525+
4234234
1526+
*/
1527+
1528+
std::string GetWindowTitle(HANDLE hproc) {
1529+
// in this function, we will get the window title of the program
1530+
// by once again readding the peb
1531+
// it will replace the "Process" entry because
1532+
// currently its a bit redundant
1533+
// this will be a bit more helpful while still being basically instant
1534+
// and if its a headless program it doesn't matter much since its going to be the .exe name either way
1535+
// which would be the same as not reading the PEB so better to try than nothing
1536+
#ifdef _M_X64
1537+
1538+
1539+
BOOL isWow64 = FALSE;
1540+
if (!IsWow64Process(hproc, &isWow64)) {
1541+
return ""; // in this case, we don't need to return an error code if it fails, we just silently fall back
1542+
// to the existing target name we already had so it doesn't matter much
1543+
}
1544+
bool isWoW64 = isWow64;
1545+
1546+
if (!isWoW64) {
1547+
1548+
typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
1549+
auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
1550+
if (!queryInfo) {
1551+
return "";
1552+
}
1553+
1554+
PROCESS_BASIC_INFORMATION pbi;
1555+
if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) {
1556+
1557+
return "";
1558+
}
1559+
1560+
PVOID procParamPtr = nullptr;
1561+
if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, sizeof(PVOID), NULL)) {
1562+
return "";
1563+
}
1564+
1565+
UNICODE_STRING cmdLStruct;
1566+
SIZE_T bytesRead2 = 0;
1567+
if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x38, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) {
1568+
return "";
1569+
}
1570+
1571+
if (cmdLStruct.Length == 0 || (cmdLStruct.Length % sizeof(wchar_t)) != 0 || cmdLStruct.Length > 65534) {
1572+
return "";
1573+
}
1574+
1575+
size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t);
1576+
std::vector<wchar_t> buffer(wchar_count + 1, 0);
1577+
if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL))
1578+
{
1579+
return "";
1580+
}
1581+
1582+
std::wstring stringBuffer = buffer.data();
1583+
return WideToString(stringBuffer);
1584+
1585+
1586+
} else {
1587+
auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
1588+
if (!queryInfo) {
1589+
v
1590+
}
1591+
1592+
ULONG_PTR peb32Address = 0;
1593+
NTSTATUS status = queryInfo(hproc, ProcessWow64Information, &peb32Address, sizeof(peb32Address), NULL);
1594+
if (status != 0 || peb32Address == 0) {
1595+
return "";
1596+
}
1597+
1598+
ULONG procParamPtr32 = 0;
1599+
if (!ReadProcessMemory(hproc, (BYTE*)peb32Address + 0x10, &procParamPtr32, sizeof(procParamPtr32), NULL)) {
1600+
return "";
1601+
}
1602+
1603+
UNICODE_STRING32 cmdLStruct32{};
1604+
if (!ReadProcessMemory(hproc, (BYTE*)(ULONG_PTR)procParamPtr32 + 0x24, &cmdLStruct32, sizeof(cmdLStruct32), NULL)) {
1605+
return "";
1606+
}
1607+
1608+
if (cmdLStruct32.Length == 0 || (cmdLStruct32.Length % sizeof(wchar_t)) != 0 || cmdLStruct32.Length > 65534) {
1609+
return "";
1610+
}
1611+
1612+
size_t wchar_count = cmdLStruct32.Length / sizeof(wchar_t);
1613+
std::vector<wchar_t> buffer(wchar_count + 1, 0);
1614+
if (!ReadProcessMemory(hproc, (PVOID)(ULONG_PTR)cmdLStruct32.Buffer, buffer.data(), cmdLStruct32.Length, NULL))
1615+
{
1616+
return "";
1617+
}
1618+
1619+
std::wstring stringBuffer = buffer.data();
1620+
return WideToString(stringBuffer);
1621+
}
1622+
#elif defined(_M_IX86)
1623+
BOOL areWeWoW64 = FALSE;
1624+
IsWow64Process(GetCurrentProcess(), &areWeWoW64);
1625+
if (!areWeWoW64) {
1626+
typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
1627+
auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
1628+
if (!queryInfo) {
1629+
return "";
1630+
}
1631+
1632+
PROCESS_BASIC_INFORMATION pbi;
1633+
if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) {
1634+
1635+
return "";
1636+
}
1637+
1638+
PVOID procParamPtr = nullptr;
1639+
if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, sizeof(PVOID), NULL)) {
1640+
return "";
1641+
}
1642+
1643+
UNICODE_STRING cmdLStruct;
1644+
SIZE_T bytesRead2 = 0;
1645+
if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x24, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) {
1646+
return "";
1647+
}
1648+
1649+
if (cmdLStruct.Length == 0 || (cmdLStruct.Length % sizeof(wchar_t)) != 0 || cmdLStruct.Length > 65534) {
1650+
return "";
1651+
}
1652+
1653+
size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t);
1654+
std::vector<wchar_t> buffer(wchar_count + 1, 0);
1655+
if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL))
1656+
{
1657+
return "";
1658+
}
1659+
1660+
std::wstring stringBuffer = buffer.data();
1661+
return WideToString(stringBuffer);
1662+
} else {
1663+
1664+
BOOL targetIsWow64 = FALSE;
1665+
1666+
IsWow64Process(hproc, &targetIsWow64);
1667+
if (targetIsWow64) {
1668+
1669+
typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
1670+
auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
1671+
if (!queryInfo) {
1672+
return "";
1673+
}
1674+
1675+
PROCESS_BASIC_INFORMATION pbi;
1676+
if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) {
1677+
1678+
return "";
1679+
}
1680+
1681+
PVOID procParamPtr = nullptr;
1682+
if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, sizeof(PVOID), NULL)) {
1683+
return "";
1684+
}
1685+
1686+
UNICODE_STRING cmdLStruct;
1687+
SIZE_T bytesRead2 = 0;
1688+
if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x24, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) {
1689+
return "";
1690+
}
1691+
1692+
if (cmdLStruct.Length == 0 || (cmdLStruct.Length % sizeof(wchar_t)) != 0 || cmdLStruct.Length > 65534) {
1693+
return "";
1694+
}
1695+
1696+
size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t);
1697+
std::vector<wchar_t> buffer(wchar_count + 1, 0);
1698+
if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL))
1699+
{
1700+
return "";
1701+
}
1702+
1703+
std::wstring stringBuffer = buffer.data();
1704+
return WideToString(stringBuffer);
1705+
1706+
} else {
1707+
1708+
HMODULE ntdll = GetModuleHandleA("ntdll.dll");
1709+
auto queryInfo64 = (pNtWow64QueryInformationProcess64)GetProcAddress(ntdll, "NtWow64QueryInformationProcess64");
1710+
auto readMem64 = (pNtWow64ReadVirtualMemory64)GetProcAddress(ntdll, "NtWow64ReadVirtualMemory64");
1711+
1712+
if (!queryInfo64 || !readMem64) {
1713+
return "";
1714+
}
1715+
1716+
HANDLE targetHandle = hproc;
1717+
HANDLE openedHandle = NULL;
1718+
DWORD targetPid = 0;
1719+
if (hproc != NULL) {
1720+
targetPid = GetProcessId(hproc);
1721+
}
1722+
if (targetPid != 0) {
1723+
openedHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, targetPid);
1724+
if (openedHandle) targetHandle = openedHandle;
1725+
}
1726+
1727+
PROCESS_BASIC_INFORMATION64 pbi64{};
1728+
ULONG returnLen = 0;
1729+
NTSTATUS status = queryInfo64(targetHandle, ProcessBasicInformation, &pbi64, sizeof(pbi64), &returnLen);
1730+
ULONG64 peb64Address = pbi64.PebBaseAddress;
1731+
if (status != 0 || peb64Address == 0) {
1732+
if (openedHandle) CloseHandle(openedHandle);
1733+
return "";
1734+
}
1735+
1736+
ULONG64 procParamPtr64 = 0;
1737+
status = readMem64(targetHandle, peb64Address + 0x20, &procParamPtr64, sizeof(procParamPtr64), NULL);
1738+
if (status != 0) {
1739+
if (openedHandle) CloseHandle(openedHandle);
1740+
return "";
1741+
}
1742+
1743+
UNICODE_STRING64 cmdLStruct64;
1744+
status = readMem64(targetHandle, procParamPtr64 + 0x38, &cmdLStruct64, sizeof(cmdLStruct64), NULL);
1745+
if (status != 0) {
1746+
if (openedHandle) CloseHandle(openedHandle);
1747+
return "";
1748+
}
1749+
1750+
if (cmdLStruct64.Length == 0 || (cmdLStruct64.Length % sizeof(wchar_t)) != 0 || cmdLStruct64.Length > 65534) {
1751+
if (openedHandle) CloseHandle(openedHandle);
1752+
return "";
1753+
}
1754+
1755+
size_t wchar_count = cmdLStruct64.Length / sizeof(wchar_t);
1756+
std::vector<wchar_t> buffer(wchar_count + 1, 0);
1757+
status = readMem64(targetHandle, cmdLStruct64.Buffer, buffer.data(), cmdLStruct64.Length, NULL);
1758+
if (status != 0) {
1759+
if (openedHandle) CloseHandle(openedHandle);
1760+
return "";
1761+
}
1762+
1763+
if (openedHandle) CloseHandle(openedHandle);
1764+
std::wstring wstr(buffer.data());
1765+
return WideToString(wstr);
1766+
1767+
1768+
1769+
}
1770+
1771+
}
1772+
#elif defined(_M_ARM64)
1773+
1774+
1775+
BOOL isWow64 = FALSE;
1776+
if (!IsWow64Process(hproc, &isWow64)) {
1777+
return "";
1778+
}
1779+
bool isWoW64 = isWow64;
1780+
1781+
if (!isWoW64) {
1782+
1783+
typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
1784+
auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
1785+
1786+
if (!queryInfo) {
1787+
return "";
1788+
}
1789+
1790+
PROCESS_BASIC_INFORMATION pbi;
1791+
if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) {
1792+
1793+
return "";
1794+
}
1795+
1796+
PVOID procParamPtr = nullptr;
1797+
if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, sizeof(PVOID), NULL)) {
1798+
return "";
1799+
}
1800+
1801+
UNICODE_STRING cmdLStruct;
1802+
SIZE_T bytesRead2 = 0;
1803+
if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x38, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) {
1804+
return "";
1805+
}
1806+
1807+
if (cmdLStruct.Length == 0 || (cmdLStruct.Length % sizeof(wchar_t)) != 0 || cmdLStruct.Length > 65534) {
1808+
return "";
1809+
}
1810+
1811+
size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t);
1812+
std::vector<wchar_t> buffer(wchar_count + 1, 0);
1813+
if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL))
1814+
{
1815+
return "";
1816+
}
1817+
1818+
std::wstring stringBuffer = buffer.data();
1819+
return WideToString(stringBuffer);
1820+
1821+
1822+
} else {
1823+
1824+
auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
1825+
if (!queryInfo) {
1826+
return "";
1827+
}
1828+
1829+
ULONG_PTR peb32Address = 0;
1830+
NTSTATUS status = queryInfo(hproc, ProcessWow64Information, &peb32Address, sizeof(peb32Address), NULL);
1831+
if (status != 0 || peb32Address == 0) {
1832+
return "";
1833+
}
1834+
1835+
ULONG procParamPtr32 = 0;
1836+
if (!ReadProcessMemory(hproc, (BYTE*)peb32Address + 0x10, &procParamPtr32, sizeof(procParamPtr32), NULL)) {
1837+
return "";
1838+
}
1839+
1840+
UNICODE_STRING32 cmdLStruct32{};
1841+
if (!ReadProcessMemory(hproc, (BYTE*)(ULONG_PTR)procParamPtr32 + 0x24, &cmdLStruct32, sizeof(cmdLStruct32), NULL)) {
1842+
return "";
1843+
}
1844+
1845+
if (cmdLStruct32.Length == 0 || (cmdLStruct32.Length % sizeof(wchar_t)) != 0 || cmdLStruct32.Length > 65534) {
1846+
return "";
1847+
}
1848+
1849+
size_t wchar_count = cmdLStruct32.Length / sizeof(wchar_t);
1850+
std::vector<wchar_t> buffer(wchar_count + 1, 0);
1851+
if (!ReadProcessMemory(hproc, (PVOID)(ULONG_PTR)cmdLStruct32.Buffer, buffer.data(), cmdLStruct32.Length, NULL))
1852+
{
1853+
return "";
1854+
}
1855+
1856+
std::wstring stringBuffer = buffer.data();
1857+
return WideToString(stringBuffer);
1858+
}
1859+
#else
1860+
return "";
1861+
#endif
1862+
}
1863+
15161864
void PrintAncestry(DWORD pid, HANDLE hSnapshot, const std::unordered_map<DWORD, PROCESSENTRY32>& pidMap) {
15171865
// now we're geting the name
15181866
// we're making it slower by adding a bunch of snapshots
@@ -1756,20 +2104,32 @@ void PIDinspect(const std::vector<DWORD>& pids, const std::vector<std::string>&
17562104
} while (Process32Next(hshot, &pe32));
17572105
}
17582106
std::string procName = GetProcessNameFromPid(pid, hshot);
2107+
std::string process = GetWindowTitle(hshot);
2108+
2109+
17592110
if (virtualTerminalEnabled) {
2111+
if (!process == "") {
2112+
std::cout << "\033[34mTarget:\033[0m " << procName << "\033[0m" << std::endl;
2113+
std::cout << "\033[34mProcess:\033[0m " << process << "\033[90m (pid " << std::to_string(pid) << ")\033[0m" << std::endl;
2114+
} else {
17602115
if (procName == ""){
17612116
std::cout << "\033[34mTarget:\033[0m N/A\n\033[34mProcess:\033[0m N/A\n";
17622117
} else {
17632118
std::cout << "\033[34mTarget:\033[0m " << procName << "\033[0m" << std::endl;
17642119
std::cout << "\033[34mProcess:\033[0m " << procName << "\033[90m (pid " << std::to_string(pid) << ")\033[0m" << std::endl;
17652120
}
17662121
} else {
2122+
if (!process == "") {
2123+
std::cout << "Target: " << procName << std::endl;
2124+
std::cout << "Process: " << process << " (pid " << std::to_string(pid) << ")" << std::endl;
2125+
} else {
17672126
if (procName == ""){
17682127
std::cout << "Target: N/A\nProcess: N/A\n";
17692128
} else {
17702129
std::cout << "Target: " << procName << std::endl;
17712130
std::cout << "Process: " << procName << " (pid " << std::to_string(pid) << ")" << std::endl;
17722131
}
2132+
}
17732133
}
17742134

17752135

0 commit comments

Comments
 (0)