1 /* @(#) $Id: ./src/rootcheck/win-process.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
15 #include "rootcheck.h"
21 /* Using: http://support.microsoft.com/kb/q131065/ as ref for debug priv */
24 /* Set Debug privilege */
25 int os_win32_setdebugpriv(HANDLE h, int en)
28 TOKEN_PRIVILEGES tpPrevious;
30 DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
32 if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
37 tp.PrivilegeCount = 1;
38 tp.Privileges[0].Luid = luid;
39 tp.Privileges[0].Attributes = 0;
41 AdjustTokenPrivileges(h, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
42 &tpPrevious,&cbPrevious);
44 if(GetLastError() != ERROR_SUCCESS)
49 tpPrevious.PrivilegeCount = 1;
50 tpPrevious.Privileges[0].Luid = luid;
53 /* If en is set to true, we enable the privilege */
56 tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
60 tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED &
61 tpPrevious.Privileges[0].Attributes);
64 AdjustTokenPrivileges(h, FALSE, &tpPrevious, cbPrevious, NULL, NULL);
65 if(GetLastError() != ERROR_SUCCESS)
75 /* os_get_process_list: Get list of win32 processes */
76 void *os_get_process_list()
78 OSList *p_list = NULL;
82 PROCESSENTRY32 p_entry;
83 p_entry.dwSize = sizeof(PROCESSENTRY32);
86 /* Getting token for enable debug priv */
87 if(!OpenThreadToken(GetCurrentThread(),
88 TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, FALSE, &hpriv))
90 if(GetLastError() == ERROR_NO_TOKEN)
92 if(!ImpersonateSelf(SecurityImpersonation))
94 merror("%s: ERROR: os_get_win32_process_list -> "
95 "ImpersonateSelf",ARGV0);
99 if(!OpenThreadToken(GetCurrentThread(),
100 TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
103 merror("%s: ERROR: os_get_win32_process_list -> "
110 merror("%s: ERROR: os_get_win32_process_list -> OpenThread",ARGV0);
116 /* Enabling debug privilege */
117 if(!os_win32_setdebugpriv(hpriv, 1))
119 merror("%s: ERROR: os_win32_setdebugpriv",ARGV0);
126 /* Snapshot of every process */
127 hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
128 if(hsnap == INVALID_HANDLE_VALUE)
130 merror("%s: ERROR: CreateToolhelp32Snapshot",ARGV0);
135 /* Getting first and second processes -- system entries */
136 if(!Process32First(hsnap, &p_entry) && !Process32Next(hsnap, &p_entry ))
138 merror("%s: ERROR: Process32First", ARGV0);
144 /* Creating process list */
145 p_list = OSList_Create();
149 merror(LIST_ERROR, ARGV0);
154 /* Getting each process name and path */
155 while(Process32Next( hsnap, &p_entry))
161 /* Setting process name */
162 os_strdup(p_entry.szExeFile, p_name);
165 /* Getting additional information from modules */
166 HANDLE hmod = INVALID_HANDLE_VALUE;
167 MODULEENTRY32 m_entry;
168 m_entry.dwSize = sizeof(MODULEENTRY32);
170 /* Snapshot of the process */
171 hmod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,
172 p_entry.th32ProcessID);
173 if(hmod == INVALID_HANDLE_VALUE)
175 os_strdup(p_name, p_path);
178 /* Getting executable path (first entry in the module list */
179 else if(!Module32First(hmod, &m_entry))
182 os_strdup(p_name, p_path);
187 os_strdup(m_entry.szExePath, p_path);
191 os_calloc(1, sizeof(Proc_Info), p_info);
192 p_info->p_name = p_name;
193 p_info->p_path = p_path;
194 OSList_AddData(p_list, p_info);
197 /* Removing debug privileges */
198 os_win32_setdebugpriv(hpriv, 0);
201 return((void *)p_list);