4#ifndef RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED
5#define RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED 0x00000001
8#ifndef RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES
9#define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002
12#ifndef RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE
13#define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004
112 if (!
lib)
return false;
115 if (!
proc1)
return false;
118 if (!
proc2)
return false;
121 if (!
proc3)
return false;
152 if (!
lib)
return false;
155 if (!
proc)
return false;
216 std::cerr <<
"[!] [" <<
GetProcessId(orig_hndl) <<
"] Cannot create reflection: timeout passed!\n";
227 std::cout <<
"Created reflection, PID = " << std::dec << args.
returned_pid <<
"\n";
260 std::cout <<
"PssCaptureSnapshot failed: " << std::hex <<
" ret: " <<
ret <<
" err: " <<
GetLastError() <<
"\n";
272 if (is_ok) std::cout <<
"Released process snapshot\n";
274 return is_ok ?
true :
false;
289 std::cout <<
"Clone PID = " << std::dec <<
clone_pid <<
"\n";
299#ifdef USE_PROCESS_SNAPSHOT
304#ifdef USE_RTL_PROCESS_REFLECTION
314 if (orig_hndl == NULL) {
318#ifdef USE_PROCESS_SNAPSHOT
328#ifdef USE_RTL_PROCESS_REFLECTION
338 if (procHndl == NULL || *procHndl == NULL) {
342 DWORD clone_pid = GetProcessId(*procHndl);
343 std::cout <<
"Releasing Clone, PID = " << std::dec << clone_pid <<
"\n";
345 BOOL is_ok = TerminateProcess(*procHndl, 0);
346 CloseHandle(*procHndl);
350 std::cout <<
"Released process reflection\n";
352 return is_ok ? true :
false;
PSS_CAPTURE_FLAGS DWORD ThreadContextFlags
PSS_CAPTURE_FLAGS CaptureFlags
NTSTATUS(NTAPI *_RtlCreateProcessReflection)(HANDLE ProcessHandle
PSS_QUERY_INFORMATION_CLASS InformationClass
HANDLE make_process_reflection1(HANDLE orig_hndl)
ULONG PVOID PVOID HANDLE T_RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION * ReflectionInformation
DWORD WINAPI refl_creator(LPVOID lpParam)
HPSS make_process_snapshot(HANDLE orig_hndl)
ULONG PVOID PVOID HANDLE EventHandle
bool can_make_process_reflection()
@ PSS_CAPTURE_HANDLE_NAME_INFORMATION
@ PSS_CREATE_USE_VM_ALLOCATIONS
@ PSS_CAPTURE_VA_SPACE_SECTION_INFORMATION
@ PSS_CAPTURE_THREAD_CONTEXT_EXTENDED
@ PSS_CAPTURE_RESERVED_00000400
@ PSS_CREATE_RELEASE_SECTION
@ PSS_CREATE_MEASURE_PERFORMANCE
@ PSS_CREATE_FORCE_BREAKAWAY
@ PSS_CREATE_BREAKAWAY_OPTIONAL
@ PSS_CAPTURE_HANDLE_TRACE
@ PSS_CAPTURE_THREAD_CONTEXT
@ PSS_CAPTURE_HANDLE_BASIC_INFORMATION
@ PSS_CAPTURE_RESERVED_00000002
@ PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION
PSS_CAPTURE_FLAGS DWORD HPSS * SnapshotHandle
ULONG PVOID PVOID StartContext
PSS_QUERY_INFORMATION_CLASS void DWORD BufferLength
bool release_process_snapshot(HANDLE procHndl, HPSS snapshot)
BOOL(CALLBACK *_MiniDumpWriteDump)(HANDLE hProcess
bool load_RtlCreateProcessReflection()
bool release_process_reflection(HANDLE *reflection_hndl)
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
PSS_QUERY_INFORMATION_CLASS
@ PSS_QUERY_HANDLE_TRACE_INFORMATION
@ PSS_QUERY_PERFORMANCE_COUNTERS
@ PSS_QUERY_VA_SPACE_INFORMATION
@ PSS_QUERY_AUXILIARY_PAGES_INFORMATION
@ PSS_QUERY_PROCESS_INFORMATION
@ PSS_QUERY_THREAD_INFORMATION
@ PSS_QUERY_VA_CLONE_INFORMATION
@ PSS_QUERY_HANDLE_INFORMATION
PSS_QUERY_INFORMATION_CLASS void * Buffer
HANDLE make_process_reflection(HANDLE orig_hndl)
bool load_PssCaptureFreeSnapshot()
HANDLE make_process_reflection2(HPSS snapshot)
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
std::string info()
The string with the basic information about the scanner.
#define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES
T_CLIENT_ID ReflectionClientId
HANDLE ReflectionProcessHandle
HANDLE ReflectionThreadHandle
1.10.0