Created
May 4, 2024 15:14
-
-
Save rbmm/25163efbef2240ec8b63aa867ec24109 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
extern volatile const UCHAR guz = 0; | |
PCSTR get(ULONG Classification, PSTR buf, ULONG cch) | |
{ | |
switch (Classification) | |
{ | |
case SystemProcessClassificationNormal: return "Normal"; | |
case SystemProcessClassificationSystem: return "System"; | |
case SystemProcessClassificationSecureSystem: return "Secure"; | |
case SystemProcessClassificationMemCompression: return "Compression"; | |
case SystemProcessClassificationRegistry: return "Registry"; | |
} | |
sprintf_s(buf, cch, "<%x>", Classification); | |
return buf; | |
} | |
enum { SidIndexShift = 20 }; | |
NTSTATUS LookupSids(_Inout_ PBYTE buf, | |
_Out_ PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, | |
_Out_ PLSA_TRANSLATED_NAME *Names, | |
_Out_ ULONG* pCount) | |
{ | |
union { | |
PBYTE pb; | |
PSYSTEM_PROCESS_INFORMATION pspi; | |
}; | |
pb = buf; | |
ULONG NextEntryOffset = 0; | |
PVOID stack = alloca(guz); | |
PSID* Sids = (PSID*)stack; | |
ULONG Count = 0, i, Index; | |
do | |
{ | |
pb += NextEntryOffset; | |
PSYSTEM_PROCESS_INFORMATION_EXTENSION ext = (PSYSTEM_PROCESS_INFORMATION_EXTENSION)(pspi->TH + pspi->NumberOfThreads); | |
if (ULONG UserSidOffset = ext->UserSidOffset) | |
{ | |
if (UserSidOffset >= (1 << SidIndexShift)) | |
{ | |
return STATUS_INTERNAL_ERROR; | |
} | |
Index = 0;// only for suppress compiler warning | |
PSID Sid = RtlOffsetToPointer(ext, UserSidOffset); | |
if (i = Count) | |
{ | |
PSID* sids = Sids; | |
do | |
{ | |
if (RtlEqualSid(Sid, *sids++)) | |
{ | |
Index = i; | |
break; | |
} | |
} while (--i); | |
} | |
if (!i) | |
{ | |
if (--Sids < stack) | |
{ | |
stack = alloca(sizeof(PSID)); | |
} | |
*Sids = Sid; | |
Index = ++Count; | |
if (Count > (1 << (32 - SidIndexShift))) | |
{ | |
return STATUS_INTERNAL_ERROR; | |
} | |
} | |
ext->UserSidOffset |= (Index << SidIndexShift); | |
} | |
} while (NextEntryOffset = pspi->NextEntryOffset); | |
LSA_HANDLE PolicyHandle; | |
OBJECT_ATTRIBUTES oa = { sizeof(oa) }; | |
NTSTATUS status; | |
if (0 <= (status = LsaOpenPolicy(0, &oa, POLICY_LOOKUP_NAMES, &PolicyHandle))) | |
{ | |
status = LsaLookupSids2(PolicyHandle, 0, Count, Sids, ReferencedDomains, Names); | |
LsaClose(PolicyHandle); | |
} | |
*pCount = Count; | |
return status; | |
} | |
void EmumProcesses(_In_ PBYTE buf, | |
_In_ PLSA_TRUST_INFORMATION Domains, | |
_In_ ULONG Entries, | |
_In_ PLSA_TRANSLATED_NAME Names, | |
_In_ ULONG Count) | |
{ | |
UNICODE_STRING Empty {}; | |
union { | |
PBYTE pb; | |
PSYSTEM_PROCESS_INFORMATION pspi; | |
}; | |
pb = buf; | |
WCHAR sz[SECURITY_MAX_SID_STRING_CHARACTERS]; | |
UNICODE_STRING szSid = { 0, sizeof(sz), sz }; | |
ULONG NextEntryOffset = 0; | |
do | |
{ | |
pb += NextEntryOffset; | |
PSYSTEM_PROCESS_INFORMATION_EXTENSION ext = (PSYSTEM_PROCESS_INFORMATION_EXTENSION)(pspi->TH + pspi->NumberOfThreads); | |
char cc[16]; | |
PCSTR szClassification = get(ext->Classification, cc, _countof(cc)); | |
if (ULONG UserSidOffset = ext->UserSidOffset) | |
{ | |
ULONG Index = UserSidOffset >> SidIndexShift; | |
PSID Sid = RtlOffsetToPointer(ext, UserSidOffset &= (1 << SidIndexShift) - 1); | |
RtlConvertSidToUnicodeString(&szSid, Sid, FALSE); | |
PLSA_TRANSLATED_NAME Name = Names + Count - Index; | |
ULONG DomainIndex = Name->DomainIndex; | |
PLSA_TRUST_INFORMATION Domain = DomainIndex < Entries ? Domains + DomainIndex : 0; | |
DbgPrint("%x(%x) %x %s %x [%x] '%wZ\\%wZ' [%wZ] \"%wZ\"\n", | |
pspi->UniqueProcessId, | |
pspi->InheritedFromUniqueProcessId, | |
pspi->SessionId, | |
szClassification, | |
ext->HasStrongId, | |
Name->Use, | |
Domain ? &Domain->Name : &Empty, | |
&Name->Name, | |
&szSid, | |
pspi->ImageName); | |
} | |
else | |
{ | |
DbgPrint("%x(%x) %x %s %x \"%wZ\"\n", | |
pspi->UniqueProcessId, | |
pspi->InheritedFromUniqueProcessId, | |
pspi->SessionId, | |
szClassification, | |
ext->HasStrongId, | |
pspi->ImageName); | |
} | |
} while (NextEntryOffset = pspi->NextEntryOffset); | |
} | |
NTSTATUS EmumProcesses() | |
{ | |
NTSTATUS status; | |
ULONG cb = 0x40000 - 0x1000; | |
do | |
{ | |
status = STATUS_INSUFFICIENT_RESOURCES; | |
if (PBYTE buf = new BYTE[cb += 0x1000]) | |
{ | |
if (0 <= (status = NtQuerySystemInformation(SystemFullProcessInformation, buf, cb, &cb))) | |
{ | |
ULONG Count = 0; | |
PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains = 0; | |
PLSA_TRANSLATED_NAME Names = 0; | |
if (0 <= (status = LookupSids(buf, &ReferencedDomains, &Names, &Count))) | |
{ | |
EmumProcesses(buf, ReferencedDomains->Domains, ReferencedDomains->Entries, Names, Count); | |
LsaFreeMemory(ReferencedDomains); | |
LsaFreeMemory(Names); | |
} | |
else | |
{ | |
if (STATUS_INFO_LENGTH_MISMATCH == status) | |
{ | |
status = STATUS_UNSUCCESSFUL; | |
} | |
} | |
} | |
delete [] buf; | |
} | |
} while(status == STATUS_INFO_LENGTH_MISMATCH); | |
return status; | |
} | |
/* | |
0(0) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "(null)" | |
4(0) 0 System 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "System" | |
94(4) 0 Registry 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "Registry" | |
220(4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\smss.exe" | |
3a8(39c) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\csrss.exe" | |
3fc(39c) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\wininit.exe" | |
1c4(3f4) 1 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\csrss.exe" | |
2e4(3fc) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\services.exe" | |
310(3f4) 1 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\winlogon.exe" | |
36c(3fc) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\lsass.exe" | |
420(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
43c(3fc) 0 Normal 0 [5] 'Font Driver Host\UMFD-0' [S-1-5-96-0-0] "\Device\HarddiskVolume9\Windows\System32\fontdrvhost.exe" | |
444(310) 1 Normal 0 [5] 'Font Driver Host\UMFD-1' [S-1-5-96-0-1] "\Device\HarddiskVolume9\Windows\System32\fontdrvhost.exe" | |
4ac(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
4d4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
518(310) 1 Normal 0 [5] 'Window Manager\DWM-1' [S-1-5-90-0-1] "\Device\HarddiskVolume9\Windows\System32\dwm.exe" | |
5d4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
610(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
680(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
68c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
694(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
69c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
6a8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
71c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
73c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
76c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
778(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
7a0(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
854(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
894(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
8cc(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
8e8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\WUDFHost.exe" | |
96c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
9b8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
9d8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
9e0(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
9e8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
a2c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
a90(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
a9c(4) 0 Compression 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "Memory Compression" | |
af0(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
b40(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
b50(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
b74(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
594(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
c30(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
c90(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
cac(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
ce8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
cf0(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
d3c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
da4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
db4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
e1c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
e24(2e4) 0 Normal 0 [5] 'NT AUTHORITY\NETWORK SERVICE' [S-1-5-20] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
e48(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
e98(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
ec4(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
f0c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
fe0(e1c) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\dasHost.exe" | |
95c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
d04(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
1200(76c) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\sihost.exe" | |
11f8(2e4) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
129c(68c) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\taskhostw.exe" | |
14b0(1494) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\explorer.exe" | |
1564(2e4) 0 Normal 0 [5] 'NT AUTHORITY\LOCAL SERVICE' [S-1-5-19] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
164c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
16ec(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
15a4(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" | |
15b8(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" | |
185c(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
1864(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\RuntimeBroker.exe" | |
18c0(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\RuntimeBroker.exe" | |
18c8(2e4) 0 Normal 0 [5] 'NT AUTHORITY\SYSTEM' [S-1-5-18] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
19e4(2e4) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
1abc(420) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\dllhost.exe" | |
1d08(cac) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\ctfmon.exe" | |
1da4(2e4) 1 Normal 0 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\System32\svchost.exe" | |
1194(420) 1 Normal 1 [1] 'DESKTOP-1234567\xyz' [S-1-5-21-*-*-*-1001] "\Device\HarddiskVolume9\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" | |
... | |
*/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment