@@ -1513,6 +1513,354 @@ return WideToString(stringBuffer);
15131513#endif
15141514}
15151515
1516+ /* another massive block
1517+ 2453128674613097462347362402316408372462317652378652397816478164234
1518+ 4237842134623140236403264236492173643219462193487621394612983746973424
1519+ 242347623947623987462378462398746239187463298746987462398764728936428379462
1520+ 248764923864698723498237698327649823764879264928736482379642713642]
1521+
1522+ 33424234234
1523+ 234234234
1524+ 231423423
1525+ 4234234
1526+ */
1527+
1528+ std::string GetWindowTitle (HANDLE hproc) {
1529+ // in this function, we will get the window title of the program
1530+ // by once again readding the peb
1531+ // it will replace the "Process" entry because
1532+ // currently its a bit redundant
1533+ // this will be a bit more helpful while still being basically instant
1534+ // and if its a headless program it doesn't matter much since its going to be the .exe name either way
1535+ // which would be the same as not reading the PEB so better to try than nothing
1536+ #ifdef _M_X64
1537+
1538+
1539+ BOOL isWow64 = FALSE ;
1540+ if (!IsWow64Process (hproc, &isWow64)) {
1541+ return " " ; // in this case, we don't need to return an error code if it fails, we just silently fall back
1542+ // to the existing target name we already had so it doesn't matter much
1543+ }
1544+ bool isWoW64 = isWow64;
1545+
1546+ if (!isWoW64) {
1547+
1548+ typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE , PROCESSINFOCLASS , PVOID , ULONG , PULONG );
1549+ auto queryInfo = (pNtQueryInformationProcess)GetProcAddress (GetModuleHandleA (" ntdll.dll" ), " NtQueryInformationProcess" );
1550+ if (!queryInfo) {
1551+ return " " ;
1552+ }
1553+
1554+ PROCESS_BASIC_INFORMATION pbi;
1555+ if (queryInfo (hproc, ProcessBasicInformation, &pbi, sizeof (pbi), NULL ) != 0 ) {
1556+
1557+ return " " ;
1558+ }
1559+
1560+ PVOID procParamPtr = nullptr ;
1561+ if (!ReadProcessMemory (hproc, (BYTE *)pbi.PebBaseAddress + 0x20 , &procParamPtr, sizeof (PVOID ), NULL )) {
1562+ return " " ;
1563+ }
1564+
1565+ UNICODE_STRING cmdLStruct;
1566+ SIZE_T bytesRead2 = 0 ;
1567+ if (!ReadProcessMemory (hproc, (BYTE *)procParamPtr + 0x38 , &cmdLStruct, sizeof (cmdLStruct), &bytesRead2)) {
1568+ return " " ;
1569+ }
1570+
1571+ if (cmdLStruct.Length == 0 || (cmdLStruct.Length % sizeof (wchar_t )) != 0 || cmdLStruct.Length > 65534 ) {
1572+ return " " ;
1573+ }
1574+
1575+ size_t wchar_count = cmdLStruct.Length / sizeof (wchar_t );
1576+ std::vector<wchar_t > buffer (wchar_count + 1 , 0 );
1577+ if (!ReadProcessMemory (hproc, cmdLStruct.Buffer , buffer.data (), cmdLStruct.Length , NULL ))
1578+ {
1579+ return " " ;
1580+ }
1581+
1582+ std::wstring stringBuffer = buffer.data ();
1583+ return WideToString (stringBuffer);
1584+
1585+
1586+ } else {
1587+ auto queryInfo = (pNtQueryInformationProcess)GetProcAddress (GetModuleHandleA (" ntdll.dll" ), " NtQueryInformationProcess" );
1588+ if (!queryInfo) {
1589+ v
1590+ }
1591+
1592+ ULONG_PTR peb32Address = 0 ;
1593+ NTSTATUS status = queryInfo (hproc, ProcessWow64Information, &peb32Address, sizeof (peb32Address), NULL );
1594+ if (status != 0 || peb32Address == 0 ) {
1595+ return " " ;
1596+ }
1597+
1598+ ULONG procParamPtr32 = 0 ;
1599+ if (!ReadProcessMemory (hproc, (BYTE *)peb32Address + 0x10 , &procParamPtr32, sizeof (procParamPtr32), NULL )) {
1600+ return " " ;
1601+ }
1602+
1603+ UNICODE_STRING32 cmdLStruct32{};
1604+ if (!ReadProcessMemory (hproc, (BYTE *)(ULONG_PTR )procParamPtr32 + 0x24 , &cmdLStruct32, sizeof (cmdLStruct32), NULL )) {
1605+ return " " ;
1606+ }
1607+
1608+ if (cmdLStruct32.Length == 0 || (cmdLStruct32.Length % sizeof (wchar_t )) != 0 || cmdLStruct32.Length > 65534 ) {
1609+ return " " ;
1610+ }
1611+
1612+ size_t wchar_count = cmdLStruct32.Length / sizeof (wchar_t );
1613+ std::vector<wchar_t > buffer (wchar_count + 1 , 0 );
1614+ if (!ReadProcessMemory (hproc, (PVOID )(ULONG_PTR )cmdLStruct32.Buffer , buffer.data (), cmdLStruct32.Length , NULL ))
1615+ {
1616+ return " " ;
1617+ }
1618+
1619+ std::wstring stringBuffer = buffer.data ();
1620+ return WideToString (stringBuffer);
1621+ }
1622+ #elif defined(_M_IX86)
1623+ BOOL areWeWoW64 = FALSE ;
1624+ IsWow64Process (GetCurrentProcess (), &areWeWoW64);
1625+ if (!areWeWoW64) {
1626+ typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE , PROCESSINFOCLASS , PVOID , ULONG , PULONG );
1627+ auto queryInfo = (pNtQueryInformationProcess)GetProcAddress (GetModuleHandleA (" ntdll.dll" ), " NtQueryInformationProcess" );
1628+ if (!queryInfo) {
1629+ return " " ;
1630+ }
1631+
1632+ PROCESS_BASIC_INFORMATION pbi;
1633+ if (queryInfo (hproc, ProcessBasicInformation, &pbi, sizeof (pbi), NULL ) != 0 ) {
1634+
1635+ return " " ;
1636+ }
1637+
1638+ PVOID procParamPtr = nullptr ;
1639+ if (!ReadProcessMemory (hproc, (BYTE *)pbi.PebBaseAddress + 0x10 , &procParamPtr, sizeof (PVOID ), NULL )) {
1640+ return " " ;
1641+ }
1642+
1643+ UNICODE_STRING cmdLStruct;
1644+ SIZE_T bytesRead2 = 0 ;
1645+ if (!ReadProcessMemory (hproc, (BYTE *)procParamPtr + 0x24 , &cmdLStruct, sizeof (cmdLStruct), &bytesRead2)) {
1646+ return " " ;
1647+ }
1648+
1649+ if (cmdLStruct.Length == 0 || (cmdLStruct.Length % sizeof (wchar_t )) != 0 || cmdLStruct.Length > 65534 ) {
1650+ return " " ;
1651+ }
1652+
1653+ size_t wchar_count = cmdLStruct.Length / sizeof (wchar_t );
1654+ std::vector<wchar_t > buffer (wchar_count + 1 , 0 );
1655+ if (!ReadProcessMemory (hproc, cmdLStruct.Buffer , buffer.data (), cmdLStruct.Length , NULL ))
1656+ {
1657+ return " " ;
1658+ }
1659+
1660+ std::wstring stringBuffer = buffer.data ();
1661+ return WideToString (stringBuffer);
1662+ } else {
1663+
1664+ BOOL targetIsWow64 = FALSE ;
1665+
1666+ IsWow64Process (hproc, &targetIsWow64);
1667+ if (targetIsWow64) {
1668+
1669+ typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE , PROCESSINFOCLASS , PVOID , ULONG , PULONG );
1670+ auto queryInfo = (pNtQueryInformationProcess)GetProcAddress (GetModuleHandleA (" ntdll.dll" ), " NtQueryInformationProcess" );
1671+ if (!queryInfo) {
1672+ return " " ;
1673+ }
1674+
1675+ PROCESS_BASIC_INFORMATION pbi;
1676+ if (queryInfo (hproc, ProcessBasicInformation, &pbi, sizeof (pbi), NULL ) != 0 ) {
1677+
1678+ return " " ;
1679+ }
1680+
1681+ PVOID procParamPtr = nullptr ;
1682+ if (!ReadProcessMemory (hproc, (BYTE *)pbi.PebBaseAddress + 0x10 , &procParamPtr, sizeof (PVOID ), NULL )) {
1683+ return " " ;
1684+ }
1685+
1686+ UNICODE_STRING cmdLStruct;
1687+ SIZE_T bytesRead2 = 0 ;
1688+ if (!ReadProcessMemory (hproc, (BYTE *)procParamPtr + 0x24 , &cmdLStruct, sizeof (cmdLStruct), &bytesRead2)) {
1689+ return " " ;
1690+ }
1691+
1692+ if (cmdLStruct.Length == 0 || (cmdLStruct.Length % sizeof (wchar_t )) != 0 || cmdLStruct.Length > 65534 ) {
1693+ return " " ;
1694+ }
1695+
1696+ size_t wchar_count = cmdLStruct.Length / sizeof (wchar_t );
1697+ std::vector<wchar_t > buffer (wchar_count + 1 , 0 );
1698+ if (!ReadProcessMemory (hproc, cmdLStruct.Buffer , buffer.data (), cmdLStruct.Length , NULL ))
1699+ {
1700+ return " " ;
1701+ }
1702+
1703+ std::wstring stringBuffer = buffer.data ();
1704+ return WideToString (stringBuffer);
1705+
1706+ } else {
1707+
1708+ HMODULE ntdll = GetModuleHandleA (" ntdll.dll" );
1709+ auto queryInfo64 = (pNtWow64QueryInformationProcess64)GetProcAddress (ntdll, " NtWow64QueryInformationProcess64" );
1710+ auto readMem64 = (pNtWow64ReadVirtualMemory64)GetProcAddress (ntdll, " NtWow64ReadVirtualMemory64" );
1711+
1712+ if (!queryInfo64 || !readMem64) {
1713+ return " " ;
1714+ }
1715+
1716+ HANDLE targetHandle = hproc;
1717+ HANDLE openedHandle = NULL ;
1718+ DWORD targetPid = 0 ;
1719+ if (hproc != NULL ) {
1720+ targetPid = GetProcessId (hproc);
1721+ }
1722+ if (targetPid != 0 ) {
1723+ openedHandle = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ , FALSE , targetPid);
1724+ if (openedHandle) targetHandle = openedHandle;
1725+ }
1726+
1727+ PROCESS_BASIC_INFORMATION64 pbi64{};
1728+ ULONG returnLen = 0 ;
1729+ NTSTATUS status = queryInfo64 (targetHandle, ProcessBasicInformation, &pbi64, sizeof (pbi64), &returnLen);
1730+ ULONG64 peb64Address = pbi64.PebBaseAddress ;
1731+ if (status != 0 || peb64Address == 0 ) {
1732+ if (openedHandle) CloseHandle (openedHandle);
1733+ return " " ;
1734+ }
1735+
1736+ ULONG64 procParamPtr64 = 0 ;
1737+ status = readMem64 (targetHandle, peb64Address + 0x20 , &procParamPtr64, sizeof (procParamPtr64), NULL );
1738+ if (status != 0 ) {
1739+ if (openedHandle) CloseHandle (openedHandle);
1740+ return " " ;
1741+ }
1742+
1743+ UNICODE_STRING64 cmdLStruct64;
1744+ status = readMem64 (targetHandle, procParamPtr64 + 0x38 , &cmdLStruct64, sizeof (cmdLStruct64), NULL );
1745+ if (status != 0 ) {
1746+ if (openedHandle) CloseHandle (openedHandle);
1747+ return " " ;
1748+ }
1749+
1750+ if (cmdLStruct64.Length == 0 || (cmdLStruct64.Length % sizeof (wchar_t )) != 0 || cmdLStruct64.Length > 65534 ) {
1751+ if (openedHandle) CloseHandle (openedHandle);
1752+ return " " ;
1753+ }
1754+
1755+ size_t wchar_count = cmdLStruct64.Length / sizeof (wchar_t );
1756+ std::vector<wchar_t > buffer (wchar_count + 1 , 0 );
1757+ status = readMem64 (targetHandle, cmdLStruct64.Buffer , buffer.data (), cmdLStruct64.Length , NULL );
1758+ if (status != 0 ) {
1759+ if (openedHandle) CloseHandle (openedHandle);
1760+ return " " ;
1761+ }
1762+
1763+ if (openedHandle) CloseHandle (openedHandle);
1764+ std::wstring wstr (buffer.data ());
1765+ return WideToString (wstr);
1766+
1767+
1768+
1769+ }
1770+
1771+ }
1772+ #elif defined(_M_ARM64)
1773+
1774+
1775+ BOOL isWow64 = FALSE ;
1776+ if (!IsWow64Process (hproc, &isWow64)) {
1777+ return " " ;
1778+ }
1779+ bool isWoW64 = isWow64;
1780+
1781+ if (!isWoW64) {
1782+
1783+ typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE , PROCESSINFOCLASS , PVOID , ULONG , PULONG );
1784+ auto queryInfo = (pNtQueryInformationProcess)GetProcAddress (GetModuleHandleA (" ntdll.dll" ), " NtQueryInformationProcess" );
1785+
1786+ if (!queryInfo) {
1787+ return " " ;
1788+ }
1789+
1790+ PROCESS_BASIC_INFORMATION pbi;
1791+ if (queryInfo (hproc, ProcessBasicInformation, &pbi, sizeof (pbi), NULL ) != 0 ) {
1792+
1793+ return " " ;
1794+ }
1795+
1796+ PVOID procParamPtr = nullptr ;
1797+ if (!ReadProcessMemory (hproc, (BYTE *)pbi.PebBaseAddress + 0x20 , &procParamPtr, sizeof (PVOID ), NULL )) {
1798+ return " " ;
1799+ }
1800+
1801+ UNICODE_STRING cmdLStruct;
1802+ SIZE_T bytesRead2 = 0 ;
1803+ if (!ReadProcessMemory (hproc, (BYTE *)procParamPtr + 0x38 , &cmdLStruct, sizeof (cmdLStruct), &bytesRead2)) {
1804+ return " " ;
1805+ }
1806+
1807+ if (cmdLStruct.Length == 0 || (cmdLStruct.Length % sizeof (wchar_t )) != 0 || cmdLStruct.Length > 65534 ) {
1808+ return " " ;
1809+ }
1810+
1811+ size_t wchar_count = cmdLStruct.Length / sizeof (wchar_t );
1812+ std::vector<wchar_t > buffer (wchar_count + 1 , 0 );
1813+ if (!ReadProcessMemory (hproc, cmdLStruct.Buffer , buffer.data (), cmdLStruct.Length , NULL ))
1814+ {
1815+ return " " ;
1816+ }
1817+
1818+ std::wstring stringBuffer = buffer.data ();
1819+ return WideToString (stringBuffer);
1820+
1821+
1822+ } else {
1823+
1824+ auto queryInfo = (pNtQueryInformationProcess)GetProcAddress (GetModuleHandleA (" ntdll.dll" ), " NtQueryInformationProcess" );
1825+ if (!queryInfo) {
1826+ return " " ;
1827+ }
1828+
1829+ ULONG_PTR peb32Address = 0 ;
1830+ NTSTATUS status = queryInfo (hproc, ProcessWow64Information, &peb32Address, sizeof (peb32Address), NULL );
1831+ if (status != 0 || peb32Address == 0 ) {
1832+ return " " ;
1833+ }
1834+
1835+ ULONG procParamPtr32 = 0 ;
1836+ if (!ReadProcessMemory (hproc, (BYTE *)peb32Address + 0x10 , &procParamPtr32, sizeof (procParamPtr32), NULL )) {
1837+ return " " ;
1838+ }
1839+
1840+ UNICODE_STRING32 cmdLStruct32{};
1841+ if (!ReadProcessMemory (hproc, (BYTE *)(ULONG_PTR )procParamPtr32 + 0x24 , &cmdLStruct32, sizeof (cmdLStruct32), NULL )) {
1842+ return " " ;
1843+ }
1844+
1845+ if (cmdLStruct32.Length == 0 || (cmdLStruct32.Length % sizeof (wchar_t )) != 0 || cmdLStruct32.Length > 65534 ) {
1846+ return " " ;
1847+ }
1848+
1849+ size_t wchar_count = cmdLStruct32.Length / sizeof (wchar_t );
1850+ std::vector<wchar_t > buffer (wchar_count + 1 , 0 );
1851+ if (!ReadProcessMemory (hproc, (PVOID )(ULONG_PTR )cmdLStruct32.Buffer , buffer.data (), cmdLStruct32.Length , NULL ))
1852+ {
1853+ return " " ;
1854+ }
1855+
1856+ std::wstring stringBuffer = buffer.data ();
1857+ return WideToString (stringBuffer);
1858+ }
1859+ #else
1860+ return " " ;
1861+ #endif
1862+ }
1863+
15161864void PrintAncestry (DWORD pid, HANDLE hSnapshot, const std::unordered_map<DWORD , PROCESSENTRY32 >& pidMap) {
15171865 // now we're geting the name
15181866// we're making it slower by adding a bunch of snapshots
@@ -1756,20 +2104,32 @@ void PIDinspect(const std::vector<DWORD>& pids, const std::vector<std::string>&
17562104 } while (Process32Next (hshot, &pe32));
17572105 }
17582106 std::string procName = GetProcessNameFromPid (pid, hshot);
2107+ std::string process = GetWindowTitle (hshot);
2108+
2109+
17592110 if (virtualTerminalEnabled) {
2111+ if (!process == " " ) {
2112+ std::cout << " \033 [34mTarget:\033 [0m " << procName << " \033 [0m" << std::endl;
2113+ std::cout << " \033 [34mProcess:\033 [0m " << process << " \033 [90m (pid " << std::to_string (pid) << " )\033 [0m" << std::endl;
2114+ } else {
17602115 if (procName == " " ){
17612116 std::cout << " \033 [34mTarget:\033 [0m N/A\n\033 [34mProcess:\033 [0m N/A\n " ;
17622117 } else {
17632118 std::cout << " \033 [34mTarget:\033 [0m " << procName << " \033 [0m" << std::endl;
17642119 std::cout << " \033 [34mProcess:\033 [0m " << procName << " \033 [90m (pid " << std::to_string (pid) << " )\033 [0m" << std::endl;
17652120 }
17662121 } else {
2122+ if (!process == " " ) {
2123+ std::cout << " Target: " << procName << std::endl;
2124+ std::cout << " Process: " << process << " (pid " << std::to_string (pid) << " )" << std::endl;
2125+ } else {
17672126 if (procName == " " ){
17682127 std::cout << " Target: N/A\n Process: N/A\n " ;
17692128 } else {
17702129 std::cout << " Target: " << procName << std::endl;
17712130 std::cout << " Process: " << procName << " (pid " << std::to_string (pid) << " )" << std::endl;
17722131 }
2132+ }
17732133 }
17742134
17752135
0 commit comments