forked from cuckoosandbox/cuckoomon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmisc.c
91 lines (76 loc) · 2.96 KB
/
misc.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#include <stdio.h>
#include <windows.h>
#include "ntapi.h"
#include "misc.h"
ULONG_PTR parent_process_id() // By Napalm @ NetCore2K (rohitab.com)
{
ULONG_PTR pbi[6]; ULONG ulSize = 0;
LONG (WINAPI *NtQueryInformationProcess)(HANDLE ProcessHandle,
ULONG ProcessInformationClass, PVOID ProcessInformation,
ULONG ProcessInformationLength, PULONG ReturnLength);
*(FARPROC *) &NtQueryInformationProcess = GetProcAddress(
LoadLibrary("ntdll"), "NtQueryInformationProcess");
if(NtQueryInformationProcess != NULL && NtQueryInformationProcess(
GetCurrentProcess(), 0, &pbi, sizeof(pbi), &ulSize) >= 0 &&
ulSize == sizeof(pbi)) {
return pbi[5];
}
return 0;
}
DWORD pid_from_process_handle(HANDLE process_handle)
{
PROCESS_BASIC_INFORMATION pbi = {}; ULONG ulSize;
LONG (WINAPI *NtQueryInformationProcess)(HANDLE ProcessHandle,
ULONG ProcessInformationClass, PVOID ProcessInformation,
ULONG ProcessInformationLength, PULONG ReturnLength);
*(FARPROC *) &NtQueryInformationProcess = GetProcAddress(
LoadLibrary("ntdll"), "NtQueryInformationProcess");
if(NtQueryInformationProcess != NULL && NtQueryInformationProcess(
process_handle, 0, &pbi, sizeof(pbi), &ulSize) >= 0 &&
ulSize == sizeof(pbi)) {
return pbi.UniqueProcessId;
}
return 0;
}
DWORD pid_from_thread_handle(HANDLE thread_handle)
{
THREAD_BASIC_INFORMATION tbi = {}; ULONG ulSize;
LONG (WINAPI *NtQueryInformationThread)(HANDLE ThreadHandle,
ULONG ThreadInformationClass, PVOID ThreadInformation,
ULONG ThreadInformationLength, PULONG ReturnLength);
*(FARPROC *) &NtQueryInformationThread = GetProcAddress(
LoadLibrary("ntdll"), "NtQueryInformationThread");
if(NtQueryInformationThread != NULL && NtQueryInformationThread(
thread_handle, 0, &tbi, sizeof(tbi), &ulSize) >= 0 &&
ulSize == sizeof(tbi)) {
return (DWORD) tbi.ClientId.UniqueProcess;
}
return 0;
}
DWORD random()
{
static BOOLEAN (WINAPI *pRtlGenRandom)(PVOID RandomBuffer,
ULONG RandomBufferLength);
if(pRtlGenRandom == NULL) {
*(FARPROC *) &pRtlGenRandom = GetProcAddress(
GetModuleHandleW(L"advapi32"), "SystemFunction036");
}
DWORD ret;
return pRtlGenRandom(&ret, sizeof(ret)) ? ret : rand();
}
BOOL is_directory_objattr(const OBJECT_ATTRIBUTES *obj)
{
static NTSTATUS (WINAPI *pNtQueryAttributesFile)(
_In_ const OBJECT_ATTRIBUTES *ObjectAttributes,
_Out_ PFILE_BASIC_INFORMATION FileInformation
);
if(pNtQueryAttributesFile == NULL) {
*(FARPROC *) &pNtQueryAttributesFile = GetProcAddress(
GetModuleHandle("ntdll"), "NtQueryAttributesFile");
}
FILE_BASIC_INFORMATION basic_information;
if(NT_SUCCESS(pNtQueryAttributesFile(obj, &basic_information))) {
return basic_information.FileAttributes & FILE_ATTRIBUTE_DIRECTORY;
}
return FALSE;
}