Skip to content

Instantly share code, notes, and snippets.

@rbmm

rbmm/gist:25163efbef2240ec8b63aa867ec24109

Created May 4, 2024 15:14
Show Gist options
  • Save rbmm/25163efbef2240ec8b63aa867ec24109 to your computer and use it in GitHub Desktop.
Save rbmm/25163efbef2240ec8b63aa867ec24109 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
extern volatile const UCHAR guz = 0;
PCSTR get(ULONG Classification, PSTR buf, ULONG cch)
{
switch (Classification)
{
case SystemProcessClassificationNormal: return "Normal";
case SystemProcessClassificationSystem: return "System";
case SystemProcessClassificationSecureSystem: return "Secure";
case SystemProcessClassificationMemCompression: return "Compression";
case SystemProcessClassificationRegistry: return "Registry";
}
sprintf_s(buf, cch, "<%x>", Classification);
return buf;
}
enum { SidIndexShift = 20 };
NTSTATUS LookupSids(_Inout_ PBYTE buf,
_Out_ PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
_Out_ PLSA_TRANSLATED_NAME *Names,
_Out_ ULONG* pCount)
{
union {
PBYTE pb;
PSYSTEM_PROCESS_INFORMATION pspi;
};
pb = buf;
ULONG NextEntryOffset = 0;
PVOID stack = alloca(guz);
PSID* Sids = (PSID*)stack;
ULONG Count = 0, i, Index;
do
{
pb += NextEntryOffset;
PSYSTEM_PROCESS_INFORMATION_EXTENSION ext = (PSYSTEM_PROCESS_INFORMATION_EXTENSION)(pspi->TH + pspi->NumberOfThreads);
if (ULONG UserSidOffset = ext->UserSidOffset)
{
if (UserSidOffset >= (1 << SidIndexShift))
{
return STATUS_INTERNAL_ERROR;
}
Index = 0;// only for suppress compiler warning
PSID Sid = RtlOffsetToPointer(ext, UserSidOffset);
if (i = Count)
{
PSID* sids = Sids;
do
{
if (RtlEqualSid(Sid, *sids++))
{
Index = i;
break;
}
} while (--i);
}
if (!i)
{
if (--Sids < stack)
{
stack = alloca(sizeof(PSID));
}
*Sids = Sid;
Index = ++Count;
if (Count > (1 << (32 - SidIndexShift)))
{
return STATUS_INTERNAL_ERROR;
}
}
ext->UserSidOffset |= (Index << SidIndexShift);
}
} while (NextEntryOffset = pspi->NextEntryOffset);
LSA_HANDLE PolicyHandle;
OBJECT_ATTRIBUTES oa = { sizeof(oa) };
NTSTATUS status;
if (0 <= (status = LsaOpenPolicy(0, &oa, POLICY_LOOKUP_NAMES, &PolicyHandle)))
{
status = LsaLookupSids2(PolicyHandle, 0, Count, Sids, ReferencedDomains, Names);
LsaClose(PolicyHandle);
}
*pCount = Count;
return status;
}
void EmumProcesses(_In_ PBYTE buf,
_In_ PLSA_TRUST_INFORMATION Domains,
_In_ ULONG Entries,
_In_ PLSA_TRANSLATED_NAME Names,
_In_ ULONG Count)
{
UNICODE_STRING Empty {};
union {
PBYTE pb;
PSYSTEM_PROCESS_INFORMATION pspi;
};
pb = buf;
WCHAR sz[SECURITY_MAX_SID_STRING_CHARACTERS];
UNICODE_STRING szSid = { 0, sizeof(sz), sz };
ULONG NextEntryOffset = 0;
do
{
pb += NextEntryOffset;
PSYSTEM_PROCESS_INFORMATION_EXTENSION ext = (PSYSTEM_PROCESS_INFORMATION_EXTENSION)(pspi->TH + pspi->NumberOfThreads);
char cc[16];
PCSTR szClassification = get(ext->Classification, cc, _countof(cc));
if (ULONG UserSidOffset = ext->UserSidOffset)
{
ULONG Index = UserSidOffset >> SidIndexShift;
PSID Sid = RtlOffsetToPointer(ext, UserSidOffset &= (1 << SidIndexShift) - 1);
RtlConvertSidToUnicodeString(&szSid, Sid, FALSE);
PLSA_TRANSLATED_NAME Name = Names + Count - Index;
ULONG DomainIndex = Name->DomainIndex;
PLSA_TRUST_INFORMATION Domain = DomainIndex < Entries ? Domains + DomainIndex : 0;
DbgPrint("%x(%x) %x %s %x [%x] '%wZ\\%wZ' [%wZ] \"%wZ\"\n",
pspi->UniqueProcessId,
pspi->InheritedFromUniqueProcessId,
pspi->SessionId,
szClassification,
ext->HasStrongId,
Name->Use,
Domain ? &Domain->Name : &Empty,
&Name->Name,
&szSid,
pspi->ImageName);
}
else
{
DbgPrint("%x(%x) %x %s %x \"%wZ\"\n",
pspi->UniqueProcessId,
pspi->InheritedFromUniqueProcessId,
pspi->SessionId,
szClassification,
ext->HasStrongId,
pspi->ImageName);
}
} while (NextEntryOffset = pspi->NextEntryOffset);
}
NTSTATUS EmumProcesses()
{
NTSTATUS status;
ULONG cb = 0x40000 - 0x1000;
do
{
status = STATUS_INSUFFICIENT_RESOURCES;
if (PBYTE buf = new BYTE[cb += 0x1000])
{
if (0 <= (status = NtQuerySystemInformation(SystemFullProcessInformation, buf, cb, &cb)))
{
ULONG Count = 0;
PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains = 0;
PLSA_TRANSLATED_NAME Names = 0;
if (0 <= (status = LookupSids(buf, &ReferencedDomains, &Names, &Count)))
{
EmumProcesses(buf, ReferencedDomains->Domains, ReferencedDomains->Entries, Names, Count);
LsaFreeMemory(ReferencedDomains);
LsaFreeMemory(Names);
}
else
{
if (STATUS_INFO_LENGTH_MISMATCH == status)
{
status = STATUS_UNSUCCESSFUL;
}
}
}
delete [] buf;
}
} while(status == STATUS_INFO_LENGTH_MISMATCH);
return status;
}
/*
0(0) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "(null)"
4(0) 0 System 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "System"
94(4) 0 Registry 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "Registry"
220(4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\smss.exe"
3a8(39c) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\csrss.exe"
3fc(39c) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\wininit.exe"
1c4(3f4) 1 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\csrss.exe"
2e4(3fc) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\services.exe"
310(3f4) 1 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\winlogon.exe"
36c(3fc) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\lsass.exe"
420(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
43c(3fc) 0 Normal 0 [5] 'Font Driver Host\UMFD-0' [S-1-5-96-0-0] "\Device\HarddiskVolume9\Windows\System32\fontdrvhost.exe"
444(310) 1 Normal 0 [5] 'Font Driver Host\UMFD-1' [S-1-5-96-0-1] "\Device\HarddiskVolume9\Windows\System32\fontdrvhost.exe"
4ac(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
4d4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
518(310) 1 Normal 0 [5] 'Window Manager\DWM-1' [S-1-5-90-0-1] "\Device\HarddiskVolume9\Windows\System32\dwm.exe"
5d4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
610(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
680(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
68c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
694(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
69c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
6a8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
71c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
73c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
76c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
778(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
7a0(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
854(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
894(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
8cc(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
8e8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\WUDFHost.exe"
96c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
9b8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
9d8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
9e0(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
9e8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
a2c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
a90(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
a9c(4) 0 Compression 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "Memory Compression"
af0(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
b40(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
b50(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
b74(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
594(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
c30(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
c90(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
cac(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
ce8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
cf0(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
d3c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
da4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
db4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
e1c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
e24(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
e48(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
e98(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
ec4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
f0c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
fe0(e1c) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\dasHost.exe"
95c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
d04(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
1200(76c) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\sihost.exe"
11f8(2e4) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
129c(68c) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\taskhostw.exe"
14b0(1494) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\explorer.exe"
1564(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
164c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
16ec(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
15a4(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"
15b8(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"
185c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
1864(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\RuntimeBroker.exe"
18c0(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\RuntimeBroker.exe"
18c8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
19e4(2e4) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
1abc(420) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\dllhost.exe"
1d08(cac) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\ctfmon.exe"
1da4(2e4) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\svchost.exe"
1194(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"
...
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment