hollows_hunter/process__util_8h_source.html

#pragma once


#include <windows.h>

#include <psapi.h>

#include <iostream>

#include "suspend.h"


namespace process_util {


    inline bool is_wow_64(HANDLE process)

    {

        HMODULE kernel32 = GetModuleHandleA("kernel32");

        if (!kernel32) return false; // should not happen


        FARPROC procPtr = GetProcAddress(kernel32, "IsWow64Process");

        if (!procPtr) {

            //this system does not have a function IsWow64Process

            return false;

        }

        BOOL(WINAPI * is_process_wow64)(IN HANDLE, OUT PBOOL)

            = (BOOL(WINAPI*)(IN HANDLE, OUT PBOOL))procPtr;


        BOOL isCurrWow64 = FALSE;

        if (!is_process_wow64(process, &isCurrWow64)) {

            return false;

        }

        return isCurrWow64 ? true : false;

    }


    inline bool is_wow_64_by_pid(DWORD processID)

    {

        HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, processID);

        if (!hProcess) {

            hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processID);

            if (!hProcess) return false;

        }

        return is_wow_64(hProcess);

    }


    inline bool get_process_path(DWORD processID, WCHAR* szProcessName, size_t processNameSize)

    {

        if (!szProcessName || !processNameSize) return false;


        HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, processID);

        if (!hProcess) {

            hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processID);

            if (!hProcess) return false;

        }

        DWORD exeNameSize = processNameSize;

        BOOL isOK = QueryFullProcessImageNameW(hProcess, 0, szProcessName, &exeNameSize);

        CloseHandle(hProcess);


        if (!isOK || !exeNameSize) {

            return false;

        }

        return true;

    }


    inline size_t suspend_suspicious(std::vector<DWORD>& suspicious_pids)

    {

        size_t done = 0;

        std::vector<DWORD>::iterator itr;

        for (itr = suspicious_pids.begin(); itr != suspicious_pids.end(); ++itr) {

            DWORD pid = *itr;

            if (!suspend_process(pid)) {

                std::cerr << "Could not suspend the process. PID = " << pid << std::endl;

            }

        }

        return done;

    }


    inline size_t kill_suspicious(std::vector<DWORD>& suspicious_pids)

    {

        size_t killed = 0;

        std::vector<DWORD>::iterator itr;

        for (itr = suspicious_pids.begin(); itr != suspicious_pids.end(); ++itr) {

            DWORD pid = *itr;

            HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid);

            if (!hProcess) {

                continue;

            }

            if (TerminateProcess(hProcess, 0)) {

                killed++;

            }

            else {

                std::cerr << "Could not terminate the process. PID = " << pid << std::endl;

            }

            CloseHandle(hProcess);

        }

        return killed;

    }


}; // namespace process_util


process_util
Definition process_util.h:8

process_util::is_wow_64
bool is_wow_64(HANDLE process)
Definition process_util.h:10

process_util::get_process_path
bool get_process_path(DWORD processID, WCHAR *szProcessName, size_t processNameSize)
Definition process_util.h:42

process_util::suspend_suspicious
size_t suspend_suspicious(std::vector< DWORD > &suspicious_pids)
Definition process_util.h:61

process_util::kill_suspicious
size_t kill_suspicious(std::vector< DWORD > &suspicious_pids)
Definition process_util.h:74

process_util::is_wow_64_by_pid
bool is_wow_64_by_pid(DWORD processID)
Definition process_util.h:31

suspend_process
bool suspend_process(DWORD processId)
Definition suspend.cpp:7

suspend.h