2023-08-15 14:02:17 +02:00
|
|
|
#ifndef PROCESS_H
|
|
|
|
#define PROCESS_H
|
|
|
|
|
2023-08-16 11:28:46 +02:00
|
|
|
#include <windows.h>
|
|
|
|
#include <winternl.h>
|
2023-08-15 14:02:17 +02:00
|
|
|
#include <TlHelp32.h>
|
|
|
|
#include <string>
|
|
|
|
|
2023-08-18 07:33:13 +02:00
|
|
|
#include "../report.h"
|
2023-08-17 10:45:50 +02:00
|
|
|
#include "../threadpool.h"
|
2023-08-16 11:28:46 +02:00
|
|
|
#include "../um/imports.h"
|
|
|
|
|
2023-08-16 12:47:09 +02:00
|
|
|
#define ThreadQuerySetWin32StartAddress 9
|
|
|
|
|
2023-08-15 14:27:40 +02:00
|
|
|
namespace usermode
|
2023-08-15 14:02:17 +02:00
|
|
|
{
|
2023-08-16 12:47:09 +02:00
|
|
|
/*
|
|
|
|
* This class represents a process and the usermode functions responsible for
|
|
|
|
* the protection of it. This class represents the protected process and allows
|
|
|
|
* us to split protection class into methods which can then be easily managed
|
|
|
|
* by the usermode manager class.
|
|
|
|
*/
|
2023-08-16 11:28:46 +02:00
|
|
|
class Process
|
2023-08-15 14:27:21 +02:00
|
|
|
{
|
2023-08-16 11:28:46 +02:00
|
|
|
HANDLE process_handle;
|
|
|
|
DWORD process_id;
|
|
|
|
std::mutex mutex;
|
|
|
|
std::unique_ptr<Imports> function_imports;
|
2023-08-17 14:43:05 +02:00
|
|
|
std::vector<DWORD> in_memory_module_checksums;
|
2023-08-18 07:33:13 +02:00
|
|
|
std::shared_ptr<global::Report> report_interface;
|
2023-08-16 11:28:46 +02:00
|
|
|
|
2023-08-15 14:27:21 +02:00
|
|
|
HANDLE GetHandleToProcessGivenName( std::string ProcessName );
|
2023-08-16 11:28:46 +02:00
|
|
|
std::vector<UINT64> GetProcessThreadsStartAddresses();
|
2023-08-17 10:45:50 +02:00
|
|
|
bool CheckIfAddressLiesWithinValidProcessModule( UINT64 Address, bool* Result );
|
|
|
|
bool GetProcessBaseAddress( UINT64* Result );
|
|
|
|
void CheckPageProtection( MEMORY_BASIC_INFORMATION* Page );
|
|
|
|
void PatternScanRegion( UINT64 Address, MEMORY_BASIC_INFORMATION* Page );
|
2023-08-16 12:47:09 +02:00
|
|
|
|
2023-08-16 11:28:46 +02:00
|
|
|
public:
|
2023-08-16 12:47:09 +02:00
|
|
|
|
2023-08-18 07:33:13 +02:00
|
|
|
Process( std::shared_ptr<global::Report> ReportInterface );
|
2023-08-16 11:28:46 +02:00
|
|
|
|
|
|
|
void ValidateProcessThreads();
|
2023-08-17 10:45:50 +02:00
|
|
|
void ScanProcessMemory();
|
2023-08-17 14:43:05 +02:00
|
|
|
void VerifyLoadedModuleChecksums(bool Init);
|
2023-08-16 11:28:46 +02:00
|
|
|
};
|
2023-08-15 14:02:17 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|