This repository has been archived by the owner on Nov 27, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
EvilWorks.System.ProcessUtils.pas
229 lines (195 loc) · 6.77 KB
/
EvilWorks.System.ProcessUtils.pas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
unit EvilWorks.System.ProcessUtils;
interface
uses
WinApi.Windows,
WinApi.PsApi,
System.SysUtils;
const
{$EXTERNALSYM PROCESS_QUERY_LIMITED_INFORMATION}
PROCESS_QUERY_LIMITED_INFORMATION = $1000;
{$EXTERNALSYM BELOW_NORMAL_PRIORITY_CLASS}
BELOW_NORMAL_PRIORITY_CLASS = $00004000;
{$EXTERNALSYM ABOVE_NORMAL_PRIORITY_CLASS}
ABOVE_NORMAL_PRIORITY_CLASS = $00008000;
type
TGetProcessImageFileName = function(hProcess: THandle; lpImageFileName: LPWSTR; nSize: DWORD): DWORD; stdcall;
TGetProcessImageFileNameA = function(hProcess: THandle; lpImageFileName: LPSTR; nSize: DWORD): DWORD; stdcall;
TGetProcessImageFileNameW = function(hProcess: THandle; lpImageFileName: LPWSTR; nSize: DWORD): DWORD; stdcall;
{$EXTERNALSYM GetProcessImageFileName}
function GetProcessImageFileName(hProcess: THandle; lpImageFileName: LPWSTR; nSize: DWORD): DWORD; stdcall;
{$EXTERNALSYM GetProcessImageFileNameA}
function GetProcessImageFileNameA(hProcess: THandle; lpImageFileName: LPSTR; nSize: DWORD): DWORD; stdcall;
{$EXTERNALSYM GetProcessImageFileNameW}
function GetProcessImageFileNameW(hProcess: THandle; lpImageFileName: LPWSTR; nSize: DWORD): DWORD; stdcall;
{$EXTERNALSYM AttachConsole}
function AttachConsole(dwProcessId: DWORD): BOOL; stdcall; external kernel32 name 'AttachConsole';
function GetWindowModuleName(const aHandle: HWND): string;
function GetPIDModuleName(const aProcessID: DWORD): string;
function SetWindowProcessPriorityClass(const aWindow: HWND; const aPriority: cardinal): boolean;
function GetWindowProcessPriorityClass(const aWindow: HWND): cardinal;
function GetProcessIDs: TArray<DWORD>;
implementation
uses
EvilWorks.System.SysUtils;
const
PsApi = 'PSAPI.dll';
var
hPSAPI : THandle;
hKernel32 : THandle;
_GetProcessImageFileName : TGetProcessImageFileName;
_GetProcessImageFileNameA: TGetProcessImageFileNameA;
_GetProcessImageFileNameW: TGetProcessImageFileNameW;
function CheckStubsLoaded: boolean;
begin
if (hPSAPI = 0) then
begin
hPSAPI := LoadLibrary('PSAPI.dll');
if (hPSAPI < 32) then
begin
hPSAPI := 0;
Result := False;
Exit;
end;
// Kernel32.lib on Windows 7 and Windows Server 2008 R2;
// Psapi.lib if PSAPI_VERSION=1 on Windows 7 and Windows Server 2008 R2;
// Psapi.lib on Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP/2000
@_GetProcessImageFileName := GetProcAddress(hPSAPI, 'GetProcessImageFileNameW');
@_GetProcessImageFileNameA := GetProcAddress(hPSAPI, 'GetProcessImageFileNameA');
@_GetProcessImageFileNameW := GetProcAddress(hPSAPI, 'GetProcessImageFileNameW');
end;
if (Assigned(_GetProcessImageFileName) = False) then
begin
hKernel32 := LoadLibrary(kernel32);
if (hKernel32 < 32) then
begin
hKernel32 := 0;
Result := False;
Exit;
end;
@_GetProcessImageFileName := GetProcAddress(hKernel32, 'GetProcessImageFileNameW');
@_GetProcessImageFileNameA := GetProcAddress(hKernel32, 'GetProcessImageFileNameA');
@_GetProcessImageFileNameW := GetProcAddress(hKernel32, 'GetProcessImageFileNameW');
end;
Result := True;
end;
function GetProcessImageFileName(hProcess: THandle; lpImageFileName: LPWSTR; nSize: DWORD): DWORD;
begin
if (CheckStubsLoaded) then
Result := _GetProcessImageFileName(hProcess, lpImageFileName, nSize)
else
Result := 0;
end;
function GetProcessImageFileNameA(hProcess: THandle; lpImageFileName: LPSTR; nSize: DWORD): DWORD;
begin
if (CheckStubsLoaded) then
Result := _GetProcessImageFileNameA(hProcess, lpImageFileName, nSize)
else
Result := 0;
end;
function GetProcessImageFileNameW(hProcess: THandle; lpImageFileName: LPWSTR; nSize: DWORD): DWORD;
begin
if (CheckStubsLoaded) then
Result := _GetProcessImageFileNameW(hProcess, lpImageFileName, nSize)
else
Result := 0;
end;
{ Gets filename of the executable to which a window belongs. }
function GetWindowModuleName(const aHandle: HWND): string;
var
processID : DWORD;
processHandle: THandle;
moduleArray : array of hModule;
arrayLen : DWORD;
len : DWORD;
begin
Result := '';
processID := 1;
GetWindowThreadProcessId(aHandle, @processID);
processHandle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, processID);
if (processHandle <= 0) then
RaiseLastOSError;
EnumProcessModules(processHandle, nil, 0, arrayLen);
SetLength(moduleArray, arrayLen div SizeOf(moduleArray[0]));
if (EnumProcessModules(processHandle, PDWord(@moduleArray[0]), arrayLen, arrayLen) = False) then
RaiseLastOSError;
SetLength(Result, MAX_PATH);
len := GetModuleFileNameEx(processHandle, moduleArray[0], PChar(Result), Length(Result));
if (len > 0) then
SetLength(Result, len);
CloseHandle(processHandle);
end;
{ Gets filename of the executable for a Process ID. }
function GetPIDModuleName(const aProcessID: DWORD): string;
var
processHandle: THandle;
ret : DWORD;
buffer : PChar;
begin
Result := '';
if (aProcessID = 0) then
Exit('<Unknown>');
processHandle := OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION or PROCESS_VM_READ, False, aProcessID);
if (processHandle <= 0) then
begin
ret := GetLastError;
if (ret = ERROR_ACCESS_DENIED) then
Exit('System');
RaiseLastOSError;
end;
buffer := AllocMem(MAX_PATH);
ret := GetModuleFileNameEx(processHandle, 0, buffer, MAX_PATH);
CloseHandle(processHandle);
if (ret = 0) then
begin
FreeMem(buffer);
RaiseLastOSError;
end
else
begin
SetString(Result, buffer, ret);
FreeMem(buffer);
end;
end;
{ Sets priority of the process that owns the aWindow .}
function SetWindowProcessPriorityClass(const aWindow: HWND; const aPriority: cardinal): boolean;
var
processID : DWORD;
processHandle: THandle;
begin
Result := False;
processID := 1;
GetWindowThreadProcessId(aWindow, @processID);
processHandle := OpenProcess(PROCESS_SET_INFORMATION, False, processID);
if (processHandle = 0) then
Exit;
Result := SetPriorityClass(processHandle, aPriority);
end;
{ Gets priority of the process that owns the aWindow. If failed returns 0. }
function GetWindowProcessPriorityClass(const aWindow: HWND): cardinal;
var
processID : DWORD;
processHandle: THandle;
begin
Result := 0;
processID := 1;
GetWindowThreadProcessId(aWindow, @processID);
if (TOSVersion.Check(6)) then
processHandle := OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, False, processID)
else
processHandle := OpenProcess(PROCESS_QUERY_INFORMATION, False, processID);
if (processHandle = 0) then
Exit;
Result := GetPriorityClass(processHandle);
end;
{ Retrieves the process identifier for each process object in the system. }
function GetProcessIDs: TArray<DWORD>;
var
numReturned: DWORD;
begin
SetLength(Result, 1024);
if (EnumProcesses(@Result[0], Length(Result) * SizeOf(DWORD), numReturned) = False) then
SetLength(Result, 0)
else if (numReturned > 0) then
SetLength(Result, numReturned div SizeOf(DWORD));
end;
end.