nerd/rufus
1
1
Fork 0
mirror of https://github.com/pbatard/rufus.git synced 2024-08-14 23:57:05 +00:00
Code Issues 1 Projects Releases Wiki Activity

[process] fix retrieval of full process commandline for MinGW32

Browse source 
* NtWow64QueryInformationProcess64() fails because sizeof(PVOID64) happens to be 4 instead of 8 in MinGW32 (WTF?!?) and
  therefore sizeof(pbi) is set to 44 instead of 48, resulting in NTSTATUS code 0xC0000004: STATUS_INFO_LENGTH_MISMATCH...
  => Use an ULONGLONG instead and don't rely on MinGW32's improper definitions.
* Also fix an issue whereas, when we find multiple conflicting processes, the first one's path is duplicated to all others...
This commit is contained in:
Pete Batard 2019-04-02 12:31:41 +01:00
parent 2a1c57c750
commit dd9f9ce1e9
No known key found for this signature in database
GPG key ID: 38E0CF5E69EDD671
3 changed files with 17 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/process.c
View file

@ -43,7 +43,7 @@ PF_TYPE_DECL(NTAPI, NTSTATUS, NtQuerySystemInformation, (SYSTEM_INFORMATION_CLAS
PF_TYPE_DECL(NTAPI, NTSTATUS, NtQueryInformationFile, (HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS)); PF_TYPE_DECL(NTAPI, NTSTATUS, NtQueryInformationFile, (HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS));
PF_TYPE_DECL(NTAPI, NTSTATUS, NtQueryInformationProcess, (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG)); PF_TYPE_DECL(NTAPI, NTSTATUS, NtQueryInformationProcess, (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG));
PF_TYPE_DECL(NTAPI, NTSTATUS, NtWow64QueryInformationProcess64, (HANDLE, ULONG, PVOID, ULONG, PULONG)); PF_TYPE_DECL(NTAPI, NTSTATUS, NtWow64QueryInformationProcess64, (HANDLE, ULONG, PVOID, ULONG, PULONG));
PF_TYPE_DECL(NTAPI, NTSTATUS, NtWow64ReadVirtualMemory64, (HANDLE, PVOID64, PVOID, ULONG64, PULONG64)); PF_TYPE_DECL(NTAPI, NTSTATUS, NtWow64ReadVirtualMemory64, (HANDLE, ULONGLONG, PVOID, ULONG64, PULONG64));
PF_TYPE_DECL(NTAPI, NTSTATUS, NtQueryObject, (HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG)); PF_TYPE_DECL(NTAPI, NTSTATUS, NtQueryObject, (HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG));
PF_TYPE_DECL(NTAPI, NTSTATUS, NtDuplicateObject, (HANDLE, HANDLE, HANDLE, PHANDLE, ACCESS_MASK, ULONG, ULONG)); PF_TYPE_DECL(NTAPI, NTSTATUS, NtDuplicateObject, (HANDLE, HANDLE, HANDLE, PHANDLE, ACCESS_MASK, ULONG, ULONG));
PF_TYPE_DECL(NTAPI, NTSTATUS, NtOpenProcess, (PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, CLIENT_ID*)); PF_TYPE_DECL(NTAPI, NTSTATUS, NtOpenProcess, (PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, CLIENT_ID*));
@ -354,7 +354,7 @@ static PWSTR GetProcessCommandLine(HANDLE hProcess)
if (wow) { if (wow) {
// 32-bit process running on a 64-bit OS // 32-bit process running on a 64-bit OS
PROCESS_BASIC_INFORMATION_WOW64 pbi = { 0 }; PROCESS_BASIC_INFORMATION_WOW64 pbi = { 0 };
PVOID64 params; ULONGLONG params;
UNICODE_STRING_WOW64* ucmdline; UNICODE_STRING_WOW64* ucmdline;
PF_INIT_OR_OUT(NtWow64QueryInformationProcess64, NtDll); PF_INIT_OR_OUT(NtWow64QueryInformationProcess64, NtDll);
@ -369,7 +369,7 @@ static PWSTR GetProcessCommandLine(HANDLE hProcess)
goto out; goto out;
// Read Process Parameters from the 64-bit address space // Read Process Parameters from the 64-bit address space
params = (PVOID64) *((PVOID64*)(peb + pp_offset)); params = (ULONGLONG) *((ULONGLONG*)(peb + pp_offset));
status = pfNtWow64ReadVirtualMemory64(hProcess, params, pp, cmd_offset + 16, NULL); status = pfNtWow64ReadVirtualMemory64(hProcess, params, pp, cmd_offset + 16, NULL);
if (!NT_SUCCESS (status)) if (!NT_SUCCESS (status))
goto out; goto out;
@ -435,7 +435,7 @@ static DWORD WINAPI SearchProcessThread(LPVOID param)
WCHAR *wHandleName = NULL; WCHAR *wHandleName = NULL;
HANDLE dupHandle = NULL; HANDLE dupHandle = NULL;
HANDLE processHandle = NULL; HANDLE processHandle = NULL;
BOOLEAN bFound = FALSE, bGotCmdLine = FALSE, verbose = !_bQuiet; BOOLEAN bFound = FALSE, bGotCmdLine, verbose = !_bQuiet;
ULONG access_rights = 0; ULONG access_rights = 0;
DWORD size; DWORD size;
char cmdline[MAX_PATH] = { 0 }; char cmdline[MAX_PATH] = { 0 };
@ -598,6 +598,7 @@ static DWORD WINAPI SearchProcessThread(LPVOID param)
vuprintf("WARNING: The following process(es) or service(s) are accessing %s:", _HandleName); vuprintf("WARNING: The following process(es) or service(s) are accessing %s:", _HandleName);
// Where possible, try to get the full command line // Where possible, try to get the full command line
bGotCmdLine = FALSE;
wcmdline = GetProcessCommandLine(processHandle); wcmdline = GetProcessCommandLine(processHandle);
if (wcmdline != NULL) { if (wcmdline != NULL) {
bGotCmdLine = TRUE; bGotCmdLine = TRUE;

5
src/process.h
View file

@ -121,7 +121,8 @@ typedef struct _OBJECT_TYPES_INFORMATION
typedef struct _PROCESS_BASIC_INFORMATION_WOW64 typedef struct _PROCESS_BASIC_INFORMATION_WOW64
{ {
PVOID Reserved1[2]; PVOID Reserved1[2];
PVOID64 PebBaseAddress; // MinGW32 screws us with a sizeof(PVOID64) of 4 instead of 8 => Use an ULONGLONG instead
ULONGLONG PebBaseAddress;
PVOID Reserved2[4]; PVOID Reserved2[4];
ULONG_PTR UniqueProcessId[2]; ULONG_PTR UniqueProcessId[2];
PVOID Reserved3[2]; PVOID Reserved3[2];
@ -131,7 +132,7 @@ typedef struct _UNICODE_STRING_WOW64
{ {
USHORT Length; USHORT Length;
USHORT MaximumLength; USHORT MaximumLength;
PVOID64 Buffer; ULONGLONG Buffer;
} UNICODE_STRING_WOW64; } UNICODE_STRING_WOW64;
typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION

10
src/rufus.rc
View file

@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
IDD_DIALOG DIALOGEX 12, 12, 232, 326 IDD_DIALOG DIALOGEX 12, 12, 232, 326
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_ACCEPTFILES EXSTYLE WS_EX_ACCEPTFILES
CAPTION "Rufus 3.6.1505" CAPTION "Rufus 3.6.1506"
FONT 9, "Segoe UI Symbol", 400, 0, 0x0 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
BEGIN BEGIN
LTEXT "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP LTEXT "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@ -394,8 +394,8 @@ END
// //
VS_VERSION_INFO VERSIONINFO VS_VERSION_INFO VERSIONINFO
FILEVERSION 3,6,1505,0 FILEVERSION 3,6,1506,0
PRODUCTVERSION 3,6,1505,0 PRODUCTVERSION 3,6,1506,0
FILEFLAGSMASK 0x3fL FILEFLAGSMASK 0x3fL
#ifdef _DEBUG #ifdef _DEBUG
FILEFLAGS 0x1L FILEFLAGS 0x1L
@ -413,13 +413,13 @@ BEGIN
VALUE "Comments", "https://akeo.ie" VALUE "Comments", "https://akeo.ie"
VALUE "CompanyName", "Akeo Consulting" VALUE "CompanyName", "Akeo Consulting"
VALUE "FileDescription", "Rufus" VALUE "FileDescription", "Rufus"
VALUE "FileVersion", "3.6.1505" VALUE "FileVersion", "3.6.1506"
VALUE "InternalName", "Rufus" VALUE "InternalName", "Rufus"
VALUE "LegalCopyright", "© 2011-2019 Pete Batard (GPL v3)" VALUE "LegalCopyright", "© 2011-2019 Pete Batard (GPL v3)"
VALUE "LegalTrademarks", "https://www.gnu.org/copyleft/gpl.html" VALUE "LegalTrademarks", "https://www.gnu.org/copyleft/gpl.html"
VALUE "OriginalFilename", "rufus-3.6.exe" VALUE "OriginalFilename", "rufus-3.6.exe"
VALUE "ProductName", "Rufus" VALUE "ProductName", "Rufus"
VALUE "ProductVersion", "3.6.1505" VALUE "ProductVersion", "3.6.1506"
END END
END END
BLOCK "VarFileInfo" BLOCK "VarFileInfo"