mirror of
https://github.com/wavestone-cdt/EDRSandblast.git
synced 2026-06-08 16:37:12 +00:00
Various fixes (TCHAR/WCHAR confusions & handle leaks)
This commit is contained in:
Maxime Meignan
@@ -13,4 +13,5 @@ typedef BOOL(WINAPI* _MiniDumpWriteDump)(HANDLE hProcess, DWORD ProcessId, HANDL
|
||||
|
||||
|
||||
DWORD WINAPI dumpProcess(LPTSTR processName, TCHAR* outputDumpFile);
|
||||
DWORD WINAPI dumpProcessFromThread(PVOID* args);
|
||||
DWORD WINAPI dumpProcessFromThread(PVOID* args);
|
||||
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
#include "Undoc.h"
|
||||
#include "time.h"
|
||||
|
||||
VOID getUnicodeStringFromTCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* tcharString);
|
||||
VOID getUnicodeStringFromWCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* tcharString);
|
||||
|
||||
TCHAR* generateRandomString(TCHAR* str, size_t size);
|
||||
TCHAR* allocAndGenerateRandomString(size_t length);
|
||||
@@ -8,8 +8,6 @@ DWORD SandGetProcessPID(HANDLE hProcess);
|
||||
|
||||
PUNICODE_STRING SandGetProcessImage(HANDLE hProcess);
|
||||
|
||||
DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, TCHAR* ImageFileName, DWORD nSize);
|
||||
DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, LPWSTR ImageFileName, DWORD nSize);
|
||||
|
||||
DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid);
|
||||
|
||||
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
|
||||
DWORD SandFindProcessPidByName(LPCWSTR targetProcessName, DWORD* pPid);
|
||||
|
||||
@@ -396,7 +396,7 @@ DWORD SandMiniDumpWriteDump(TCHAR* targetProcessName, WCHAR* dumpFilePath) {
|
||||
UNICODE_STRING dumpFilePathAsUnicodeStr = { 0 };
|
||||
wcscat_s(FilePath, _countof(FilePath), dumpFilePath);
|
||||
|
||||
getUnicodeStringFromTCHAR(&dumpFilePathAsUnicodeStr, FilePath);
|
||||
getUnicodeStringFromWCHAR(&dumpFilePathAsUnicodeStr, FilePath);
|
||||
|
||||
// Create the dump file to validate that the output path is correct beforing accessing the process to dump memory.
|
||||
InitializeObjectAttributes(&ObjectAttributesDumpFile, &dumpFilePathAsUnicodeStr, OBJ_CASE_INSENSITIVE, NULL, NULL);
|
||||
|
||||
@@ -31,9 +31,9 @@
|
||||
// return TRUE;
|
||||
//}
|
||||
|
||||
VOID getUnicodeStringFromTCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* wcharString) {
|
||||
VOID getUnicodeStringFromWCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* wcharString) {
|
||||
unicodeString->Buffer = wcharString;
|
||||
unicodeString->Length = (WORD)_tcslen(unicodeString->Buffer) * sizeof(WCHAR);
|
||||
unicodeString->Length = (WORD)wcslen(unicodeString->Buffer) * sizeof(WCHAR);
|
||||
unicodeString->MaximumLength = unicodeString->Length + sizeof(WCHAR);
|
||||
}
|
||||
|
||||
|
||||
@@ -18,7 +18,7 @@ DWORD SandGetProcessPID(HANDLE hProcess) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
return (DWORD) basicInformation.UniqueProcessId;
|
||||
return (DWORD)basicInformation.UniqueProcessId;
|
||||
}
|
||||
|
||||
// Retrieve a given process image (PE full path).
|
||||
@@ -28,7 +28,7 @@ PUNICODE_STRING SandGetProcessImage(HANDLE hProcess) {
|
||||
PUNICODE_STRING ProcessImageBuffer = NULL;
|
||||
|
||||
do {
|
||||
ProcessImageBuffer = calloc(ProcessImageLength, sizeof(TCHAR));
|
||||
ProcessImageBuffer = calloc(ProcessImageLength, sizeof(WCHAR));
|
||||
if (!ProcessImageBuffer) {
|
||||
_tprintf_or_not(TEXT("[-] Couldn't allocate memory for process image\n"));
|
||||
return NULL;
|
||||
@@ -44,50 +44,54 @@ PUNICODE_STRING SandGetProcessImage(HANDLE hProcess) {
|
||||
} while (status == STATUS_INFO_LENGTH_MISMATCH);
|
||||
|
||||
if (!ProcessImageBuffer) {
|
||||
_tprintf_or_not(TEXT("[-] Failed to retrieve process image\n"));
|
||||
_tprintf_or_not(TEXT("[-] Failed to retrieve process image: %08x\n"), status);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
return ProcessImageBuffer;
|
||||
}
|
||||
|
||||
// Extract filename from process image full path.
|
||||
DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, TCHAR* ImageFileName, DWORD nSize) {
|
||||
DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, LPWSTR ImageFileName, DWORD nSize) {
|
||||
if (ProcessImageUnicodeStr->Length == 0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
// Process name will be /binary.exe.
|
||||
TCHAR* ProcessName = _tcsrchr(ProcessImageUnicodeStr->Buffer, TEXT('\\'));
|
||||
WCHAR* ProcessName = wcsrchr(ProcessImageUnicodeStr->Buffer, L'\\');
|
||||
if (!ProcessName) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
// Skip the /.
|
||||
ProcessName = &ProcessName[1];
|
||||
|
||||
DWORD ProcessNameLength = (DWORD)_tcslen(ProcessName);
|
||||
|
||||
DWORD ProcessNameLength = (DWORD)wcslen(ProcessName);
|
||||
if (ProcessNameLength > nSize) {
|
||||
_tprintf_or_not(TEXT("[-] Input buffer size is too small for file name\n"));
|
||||
return 0;
|
||||
}
|
||||
|
||||
_tcsncat_s(ImageFileName, nSize, ProcessName, _TRUNCATE);
|
||||
|
||||
wcsncat_s(ImageFileName, nSize, ProcessName, _TRUNCATE);
|
||||
return ProcessNameLength;
|
||||
}
|
||||
|
||||
// Find a process PID using its filename.
|
||||
DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid) {
|
||||
DWORD SandFindProcessPidByName(LPCWSTR targetProcessName, DWORD* pPid) {
|
||||
DWORD status = STATUS_UNSUCCESSFUL;
|
||||
HANDLE hProcess = NULL;
|
||||
HANDLE hOldProcess = NULL;
|
||||
PUNICODE_STRING currentProcessImage = NULL;
|
||||
TCHAR* currentProcessName = NULL;
|
||||
LPWSTR currentProcessName = NULL;
|
||||
DWORD currentProcessNameSz = 0;
|
||||
|
||||
|
||||
*pPid = 0;
|
||||
|
||||
while (*pPid == 0) {
|
||||
status = NtGetNextProcess(hProcess, MAXIMUM_ALLOWED, 0, 0, &hProcess);
|
||||
status = NtGetNextProcess(hOldProcess, MAXIMUM_ALLOWED, 0, 0, &hProcess);
|
||||
if (hOldProcess) {
|
||||
NtClose(hOldProcess);
|
||||
}
|
||||
|
||||
if (status == STATUS_NO_MORE_ENTRIES) {
|
||||
_tprintf_or_not(TEXT("[-] The process '%s' was not found\n"), targetProcessName);
|
||||
@@ -99,24 +103,36 @@ DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid) {
|
||||
}
|
||||
|
||||
currentProcessImage = SandGetProcessImage(hProcess);
|
||||
currentProcessName = calloc(currentProcessImage->MaximumLength, sizeof(TCHAR));
|
||||
if (!currentProcessName) {
|
||||
_tprintf_or_not(TEXT("[-] Couldn't allocate memory for process filename\n"));
|
||||
return STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
currentProcessNameSz = SandGetProcessFilename(currentProcessImage, currentProcessName, currentProcessImage->MaximumLength);
|
||||
if (currentProcessImage) {
|
||||
currentProcessName = calloc(currentProcessImage->MaximumLength, sizeof(WCHAR));
|
||||
if (!currentProcessName) {
|
||||
_tprintf_or_not(TEXT("[-] Couldn't allocate memory for process filename\n"));
|
||||
return STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
_putws(currentProcessImage->Buffer);
|
||||
currentProcessNameSz = SandGetProcessFilename(currentProcessImage, currentProcessName, currentProcessImage->MaximumLength);
|
||||
|
||||
if (currentProcessNameSz != 0 && !_tcsicmp(targetProcessName, currentProcessName)) {
|
||||
*pPid = SandGetProcessPID(hProcess);
|
||||
break;
|
||||
}
|
||||
if (currentProcessNameSz != 0 && !_tcsicmp(targetProcessName, currentProcessName)) {
|
||||
*pPid = SandGetProcessPID(hProcess);
|
||||
break;
|
||||
}
|
||||
|
||||
free(currentProcessImage);
|
||||
currentProcessImage = NULL;
|
||||
free(currentProcessName);
|
||||
currentProcessName = NULL;
|
||||
free(currentProcessImage);
|
||||
currentProcessImage = NULL;
|
||||
free(currentProcessName);
|
||||
currentProcessName = NULL;
|
||||
}
|
||||
hOldProcess = hProcess;
|
||||
}
|
||||
if (currentProcessImage) {
|
||||
free(currentProcessImage);
|
||||
}
|
||||
if (currentProcessName) {
|
||||
free(currentProcessName);
|
||||
}
|
||||
if (hProcess) {
|
||||
NtClose(hProcess);
|
||||
}
|
||||
|
||||
if (*pPid) {
|
||||
return STATUS_SUCCES;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user