Jump to content

Manko
 Share

Recommended Posts

Great Program Manko :)

and i used some function of it in my Task Manager

Thanks, Daywalkereg!

If you need anything, don't hesitate to ask! :) (Like explanations of my messy code...)

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

@Manko

Indead a great application !! :)

But 1 thing missing, a search function.

To search on any of the columns for a specific DLL, PID, Description, ....

Using the Example here : _GUICtrlListView_FindText

Regards,

ptrex

Edited by ptrex
Link to comment
Share on other sites

@Manko

Indead a great application !! :)

But 1 thing missing, a search function.

To search on any of the columns for a specific DLL, PID, Description, ....

Thanks, Ptrex!

This it? Update in first post.

Most Recent changes...

; 0.18_23
; Added: Searchfunction, as sugested by ptrex.
; Change: Slight rewrite of module enumeration...
; Fixed: Tooltip not working in non-indented display... now it does...
; Fixed: Forgot to erase old modules on rescan, producing doubles...

; 0.18_22
; Added: Show processorload... Realised I was always checking with another taskmanager...

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

This is amazing.... I wish I could code like this. o.o

Thanks! With practice, we all get better. :) But my impatience and love of shortcuts is perhaps not to be wished for, sometimes...

Just broke some important functions... UPDATE!

; 0.18_24
; Added: Listviews will scroll to last found items in listview when searching, especially important if there's only one hit somewhere FAAAR down...
; Fixed: Stupidly destroyed searchbox twice, makeing it impossible to use button "selection" and "listall". Extremely irritating!

UPDATE in first post! I hope to not be hogging forum space correcting stupid misstakes for a while... hrm...

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

@Manko

Just did some tests.

This perfect !! :P

Thanks a lot for hearing my request.

I hope I helps you as well.

regards,

ptrex

Thanks, ptrex!

Yeah, now that I've tried this feature out, I quite like it! :unsure:

Good potential for further singling out instances, both in straight and inverted use.

Thanks again for the suggestion!

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

  • 2 months later...

Great application! Thanks for a nice idea. I think you have missed one thing. Can you create sorta like a "context menu" for your list of modules and processes containing the "unload", "kill" actions or another?

@Hammerfist

Thanks!

Actually, I have added code for that in the version I use/develop right now. But since I added some new functions without fully implementing them and since I'm dug down in developing furter one particular function, the app is really in quite an uglier state at the moment.

Though, I guess I might release it as is, just to see if someone comments...

@FIREFOX

Wraithdu has done much on injecting dlls... He made an app that was somewhat similar to mine at that time, that also injected.

Me, I don't see any reason why my app should do it. As I'm qurious... What would you use it for, exactly?

/Manko

Edited by Manko
Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

  • 2 weeks later...
  • 4 weeks later...

You have done really huge work here Manko.

Admirable.

Thanks, trancexx!

Update!

; 0.18_46

; Fixed: Putting a short sleep in the messageloop got rid of the insane CPU-usage I got moving the mouse around in the GUI, with no aparent adverse effects. :D Why dint I do it before???

; Fixed: Renamed some variables to not conflict. (Messageloop vs. Adlib...) (Array out of bounds - crash)

; Fixed: Lost name of drivers in display of SSDT-hooks sometimes. Troubles with logic between hex and int... Solved!

; Fixed: Another conflict between adlib and Messageloop, during Suspendall-state, sometimes when displaying drivers/threads/SSDT... Fixed! (Array out of bounds - crash)

Download in first post!

/Manko [Edit: New version. Posts moved together.]

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

  • 2 weeks later...

; 0.18_47

; Added: Sanitize and kill - Upped by new trick for killing...

; Fixed: By copying the kernelfile I get the access I need to play with uninitialized kernel even on some restricted Vista systems...

; ...... (It would not even let me open file and since my window is topmost, alert got placed behind it. Irritating!)

; Fixed: Messageboxes are now topmost!

Update in first post!

You think you could list mutexes as well?

Look here for the needs of some.

This unfinished code lists "user objects and handles", mutexes among them... Driver code is needed to better handle "named pipes". ...am researching.... Sorry bout the delay! Other stuff happening in life... :)

#include <WinAPI.au3>   ; _GetPrivilege_SEDEBUG() - by wraithdu - uses this include.
#include <array.au3>    ; Needed to display array in example.

#RequireAdmin

; SystemHandleInformation = 16

;~ typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
;~     USHORT UniqueProcessId;
;~     USHORT CreatorBackTraceIndex;
;~     UCHAR ObjectTypeIndex;
;~     UCHAR HandleAttributes;
;~     USHORT HandleValue;
;~     PVOID Object;
;~     ULONG GrantedAccess;
;~ } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;

;~ typedef struct _SYSTEM_HANDLE_INFORMATION {
;~     ULONG NumberOfHandles;
;~     SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ];
;~ } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

;~ BOOL DuplicateHandle(

;~     HANDLE hSourceProcessHandle, // handle to process with handle to duplicate       OpenProcess             PROCESS_DUP_HANDLE
;~     HANDLE hSourceHandle,    // handle to duplicate                                  
;~     HANDLE hTargetProcessHandle, // handle to process to duplicate to                GetCurrentProcess       PROCESS_DUP_HANDLE
;~     LPHANDLE lpTargetHandle, // pointer to duplicate handle                          
;~     DWORD dwDesiredAccess,   // access for duplicate handle                          0
;~     BOOL bInheritHandle, // handle inheritance flag                                  0
;~     DWORD dwOptions  // optional actions                                             const $DUPLICATE_SAME_ACCESS = 0x2
;~    );
;~ NtQueryObject(
;~ IN HANDLE ObjectHandle, 
;~ IN OBJECT_INFORMATION_CLASS ObjectInformationClass,         ObjectTypeInformation = 2 , ObjectNameInformation=1
;~ OUT PVOID ObjectInformation, 
;~ IN ULONG Length, 
;~ OUT PULONG ResultLength );
;~ $tag_OBJECT_TYPE=
;~  "ushort Length;" & _
;~  "ushort MaximumLength;" & _
;~  "ptr    ProcessName;" & _
;~  "byte[512]"
$tag_SYSTEM_HANDLE_INFO= _
    "USHORT UniqueProcessId;" & _;
    "USHORT CreatorBackTraceIndex;" & _;
    "ubyte ObjectTypeIndex;" & _;
    "ubyte HandleAttributes;" & _;
    "USHORT HandleValue;" & _;
    "ptr Object;" & _;
    "ptr GrantedAccess";
$tag_OBJECT_TYPE= _             ; TYPE / NAME Doesnt matter... I just want the unicodestring.
    "ushort Length;" & _
    "ushort MaximumLength;" & _
    "ptr    Name;" & _  
    "byte[512]"


; ############# Needed Constants ###################
Global Const $PROCESS_VM_READ=0x10
Global Const $PROCESS_QUERY_INFORMATION = 0x400



; ############ Example code #######################
_GetPrivilege_SEDEBUG() 
$temp=_Handles()
_ArrayDisplay($temp)
; ###############################################




; ############ Here be func! ####################
Func _Handles()
    Local $times[10]
    Local $Mem=DllStructCreate("byte[" & 40000000 & "]")
    Local $ret=dllcall("ntdll.dll", "int", "ZwQuerySystemInformation","int", 16, "ptr", DllStructGetPtr($MEM), "int", DllStructGetSize($MEM), "int*",0)
    Local $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $ret[2]+4)
    Local $dw=DllStructCreate("dword",$ret[2])
    Local $Count=DllStructGetData($dw,1)
    Local $SysHnd_ptr=$ret[2]+4
    Local $SysHnd_Size=DllStructGetSize($SysHnd)
    Local $buffer, $i=0, $lastthread, $m=0, $NextEntryDelta, $k, $temp, $space, $l
    Local $avArray[1000000][10]
    Const $PROCESS_DUP_HANDLE = 0x40
    const $DUPLICATE_SAME_ACCESS = 0x2
    Local $types[40]
    Local $ObjType=DllStructCreate($tag_OBJECT_TYPE)
    While 1
        if $m=$count Then ExitLoop
        $avArray[$i][0]=DllStructGetData($SysHnd, "UniqueProcessId") 
        $avArray[$i][1]=DllStructGetData($SysHnd, "CreatorBackTraceIndex")
        if not $avArray[$i][1] Then $avArray[$i][1]=""
        $avArray[$i][2]=DllStructGetData($SysHnd, "ObjectTypeIndex")
        $avArray[$i][3]=DllStructGetData($SysHnd, "HandleAttributes") 
        if not $avArray[$i][3] Then $avArray[$i][3]=""
        $avArray[$i][4]=ptr(DllStructGetData($SysHnd, "HandleValue")) 
        $avArray[$i][5]=DllStructGetData($SysHnd, "Object") 
        $avArray[$i][6]=DllStructGetData($SysHnd, "GrantedAccess")
        $hProcSource=_WinAPI_OpenProcess(0x1f0fff, 0, $avarray[$i][0])
        $hProcDest=_WinAPI_OpenProcess(0x1f0fff, 0, @AutoItPID)
        $ret=dllcall("kernel32.dll","int","DuplicateHandle","hwnd", $hProcSource, "hwnd", $avarray[$i][4], "hwnd", $hProcDest, _
                                                        "hwnd*", 0, "int",0, "int", 0, "int", $DUPLICATE_SAME_ACCESS)
        $avArray[$i][7]=$ret[4]
        if not $types[$avArray[$i][2]] Then
            dllcall("ntdll.dll", "int", "NtQueryObject", "hwnd", $ret[4], "int", 2, "ptr", dllstructgetptr($ObjType, 1), _
                                                            "int" ,DllStructGetSize($ObjType), "int*", 0) 
            $buffer=DllStructCreate("wchar[256]", DllStructGetData($ObjType, "Name"))
            $avArray[$i][8]=DllStructGetData($buffer, 1)
            $types[$avArray[$i][2]]=$avArray[$i][8]
        Else
            $avArray[$i][8]=$types[$avArray[$i][2]]
        EndIf
            
            ; Try to filter out NAMED PIPES to not deadlock. Writing a driver to get names would be best. I'm researching...
            if $avArray[$i][2]=28 Then
                if $avArray[$i][6]=0x00120189 Then
                    $avArray[$i][9]="    NAMED PIPES ??? - DANGER OF DEADLOCK - SKIPPED ..."
                    $m+=1
                    $i+=1
                    $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
                    Continueloop
                EndIf
                if $avArray[$i][6]=0x00100000 Then
                    $avArray[$i][9]="    NAMED PIPES ??? - DANGER OF DEADLOCK - SKIPPED ..."
                    $m+=1
                    $i+=1
                    $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
                    Continueloop
                EndIf
                if  $avArray[$i][6]=0x0012019F Then
                    if $avArray[$i][3]<2 Then
                        $avArray[$i][9]="    NAMED PIPES ??? - DANGER OF DEADLOCK - SKIPPED ..."
                        $m+=1
                        $i+=1
                        $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
                        Continueloop
                    EndIf
                EndIf
            EndIf
        
;~      if $avArray[$i][0]<>1452 Then   ; single out one PID
;~          $m+=1
;~          ;$i+=1
;~          $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
;~          Continueloop
;~      EndIf

        ; Still checking which accesrights deadlock - Consolewrite...
        ConsoleWrite($avArray[$i][6] & " " & $avArray[$i][2] & " " & $avArray[$i][0] & $avArray[$i][8] & " " & @LF)
        
        Switch $avArray[$i][2]
            Case 5
                $ret1=dllcall("kernel32.dll", "int", "GetProcessId", "hwnd", $ret[4])
                $avArray[$i][9]=$ret1[0]
            Case Else
                if not $avArray[$i][9] Then
                    $ObjType=DllStructCreate($tag_OBJECT_TYPE)
                    dllcall("ntdll.dll", "int", "NtQueryObject", "hwnd", $ret[4], "int", 1, "ptr", dllstructgetptr($ObjType, 1), _
                                                                                            "int" ,DllStructGetSize($ObjType), "int*", 0) 
                    $buffer=DllStructCreate("wchar[256]", DllStructGetData($ObjType, "Name"))
                    $avArray[$i][9]=DllStructGetData($buffer, 1)
                    if not $avArray[$i][9] Then $avArray[$i][9]=""
                EndIf
        EndSwitch
        _WinAPI_CloseHandle($hProcSource)
        _WinAPI_CloseHandle($hProcDest)
        $i+=1
        $m+=1
        $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
        ContinueLoop    
    WEnd
    Redim $avArray[$i][10]
    Return $avArray
EndFunc 


; ####################### 
; ####################### Thanks to wraithdu!
Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    Local $hToken = $call[3]
    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "")
    ;msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage())
    Local $iLuid = $call[3]
    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))
    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)
    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0))
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG

/Manko [EDIT: Bugfix of examplecode!]

Edited by Manko
Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

Excellent.

What's the worst that could happen if I would use kernel mode functions from user mode? (I'm aware of restrictions with available space, but let's say I won't be braking that)

I'm actually asking what do I need to do to execute privileged instruction without the use of some driver?

Link to comment
Share on other sites

Excellent.

What's the worst that could happen if I would use kernel mode functions from user mode? (I'm aware of restrictions with available space, but let's say I won't be braking that)

I'm actually asking what do I need to do to execute privileged instruction without the use of some driver?

I'm not altogether sure about these things, since I'm quite new with driver-developing...

...but, from usermode we don't have access to kernelspace which makes it impossible to have straight access to kernelmode only structures...

...there are intermediary functions that work in both evironments but often does not reveal all info in userspace...

In this particular case though... Trying to ask for the name of a "named pipe" in "sync-mode" locks my process endefinitely... Or till the app that opened it thus, is closed. (Haven't tested, just been told...)

(In kernel I cold just work on the object, unrestricted, instead of getting stumped by access conditions of the handle... sortof...)

Do you have an example of what you would like to do? Might be easier to answer... (...or not...) :)

PS. Updated examplecode as I had a few stupid misstakes in there... DS.

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

Do you have an example of what you would like to do? Might be easier to answer...

/Manko

Read bios cmos.

That is saying access ports 112 and 113. Normally without the driver I'm not allowed. But since nothing is impossible...

edit: been working on both

Edited by trancexx
Link to comment
Share on other sites

@Manko

I rewrote my GetPrivilege function a little, and closed a handle that was mistakenly left open. Here ya go:

; #FUNCTION# ;===============================================================================
;
; Name...........: _GetPrivilege_SEDEBUG
; Description ...: Obtains the SE_DEBUG privilege for the running process
; Syntax.........: _GetPrivilege_SEDEBUG()
; Parameters ....: 
; Return values .: Success - Returns True
;                  Failure - Returns False
; Author ........: Erik Pilsits
; Modified.......:
; Remarks .......:
; Related .......: 
; Link ..........;
; Example .......; 
;
; ;==========================================================================================
Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $SE_PRIVILEGE_ENABLED = 0x2
    
    Local $curProc = DllCall("kernel32.dll", "ptr", "GetCurrentProcess")
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", $curProc[0], "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    If Not $call[0] Then Return False
    Local $hToken = $call[3]

    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", "SeDebugPrivilege", "int64*", "")
    Local $iLuid = $call[3]

    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))

    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)

    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", 0, "ptr", 0)
    DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken)
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG
Link to comment
Share on other sites

@Manko

I rewrote my GetPrivilege function a little, and closed a handle that was mistakenly left open. Here ya go:

; #FUNCTION# ;===============================================================================
;
; Name...........: _GetPrivilege_SEDEBUG
; Description ...: Obtains the SE_DEBUG privilege for the running process
; Syntax.........: _GetPrivilege_SEDEBUG()
; Parameters ....: 
; Return values .: Success - Returns True
;                  Failure - Returns False
; Author ........: Erik Pilsits
; Modified.......:
; Remarks .......:
; Related .......: 
; Link ..........;
; Example .......; 
;
; ;==========================================================================================
Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $SE_PRIVILEGE_ENABLED = 0x2
    
    Local $curProc = DllCall("kernel32.dll", "ptr", "GetCurrentProcess")
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", $curProc[0], "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    If Not $call[0] Then Return False
    Local $hToken = $call[3]

    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", "SeDebugPrivilege", "int64*", "")
    Local $iLuid = $call[3]

    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))

    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)

    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", 0, "ptr", 0)
    DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken)
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG
Let's say DllCall() function fails for some, any reason. What happens?

AutoIt is specific.

Link to comment
Share on other sites

Manko, my man! wassap

hey, I just tried to destroy a crashed app with your 'Sanitize and kill' function and guess what? ProDLL'er killed itself! :) I thought for sure it was supposed to kill the process!

Anyway, I'm still confused by all those buttons with limited descriptions - but wasn't there a way to detect if a process was locked up/frozen/crashed?

Btw, I'm trying with my 'Full-Screen Crash Recovery' program to terminate the app - but 'WinGetProcess' and the API call 'GetWindowThreadProcessId' that it uses (I assume) both return the Explorer.exe Process ID for a frozen/crashed app!

Dang.. I'm really getting frustrated here trying to figure out how to close the right process..

On the plus side, remember 'IsHungAppWindow'? It actually returns True for these crashed windows! So there's one plus.. now to find the process ID and terminate it..

*edit: I got it all figured out.. turns out, even though explorer.exe was returned for the crashed apps, explorer.exe was in fact crashed as well! Once it was terminated, WinGetProcess() returned the correct process ID. But termination was impossible at that point. Luckily the windows disappeared from the screen, so I can still consider the Full-Screen Crash Recovery program a success! :) Now to upload the new version..

Edited by ascendant
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...