v1.5.1

CHANGELOG.md

@@ -4,6 +4,18 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 
 
+## [1.5.1] - 2022-12-19
+
+### Added
+- re added kernel debug log dumping
+- added more handle information
+- added option to block processes from starting using the driver
+
+### Fixed
+- fixed issue with opening job objects
+
+
+
 ## [1.5.0] - 2022-12-10
 
 ### Changed

TaskExplorer/API/Windows/Monitors/WinDbgMonitor.cpp

@@ -237,8 +237,8 @@ CWinDbgMonitor::~CWinDbgMonitor()
 		m->UnInit(false);
 	if (m->GlobalCaptureEnabled)
 		m->UnInit(true);
-	//if (m->KernelCaptureEnabled) // todo: xxxx si
-	//	KphSetDebugLog(FALSE);
+	if (m->KernelCaptureEnabled)
+		KphSetDebugLog(FALSE);
 
 	delete m;
 }
@@ -283,28 +283,36 @@ static NTSTATUS DbgEventsGlobalThread(PVOID Parameter)
 	return DbgEventsThread(true, (CWinDbgMonitor*)Parameter);
 }
 
-static NTSTATUS DbgEventsKernelThread(PVOID Parameter)
-{
-	CWinDbgMonitor* This = (CWinDbgMonitor*)Parameter;
-
-	/*ULONG SequenceNumber = 0; // todo: xxxx si
-
-	while (TRUE)
-	{
-		SIZE_T Length = 0;
-		char Buffer[8 * 1024] = { 0 };
-		NTSTATUS status = KphReadDebugLog(&SequenceNumber, Buffer, ARRSIZE(Buffer), &Length);
-		if (status == STATUS_NO_MORE_ENTRIES) {
-			QThread::msleep(10);
-			continue;
-		}
-		if (!NT_SUCCESS(status) && status != STATUS_BUFFER_TOO_SMALL) // Note: if the buffer was to small it still wil hold a truncated result
-			break;
-
-		emit This->DebugMessage((quint64)SYSTEM_PROCESS_ID, QString::fromLatin1(Buffer, Length));
-	}*/
-
-	return STATUS_SUCCESS;
+//static NTSTATUS DbgEventsKernelThread(PVOID Parameter)
+//{
+//	CWinDbgMonitor* This = (CWinDbgMonitor*)Parameter;
+//	
+//	ULONG SequenceNumber = 0; 
+//
+//	while (TRUE)
+//	{
+//		SIZE_T Length = 0;
+//		char Buffer[8 * 1024] = { 0 };
+//		NTSTATUS status = KphReadDebugLog(&SequenceNumber, Buffer, ARRSIZE(Buffer), &Length);
+//		if (status == STATUS_NO_MORE_ENTRIES) {
+//			QThread::msleep(10);
+//			continue;
+//		}
+//		if (!NT_SUCCESS(status) && status != STATUS_BUFFER_TOO_SMALL) // Note: if the buffer was to small it still wil hold a truncated result
+//			break;
+//
+//		emit This->DebugMessage((quint64)SYSTEM_PROCESS_ID, QString::fromLatin1(Buffer, Length));
+//	}
+//
+//	return STATUS_SUCCESS;
+//}
+
+extern void (*g_KernelDebugLogger)(const QString& Output);
+
+void KernelDebugLogger(const QString& Output)
+{
+	if (theAPI && ((CWindowsAPI*)theAPI)->m_pDebugMonitor)
+		((CWindowsAPI*)theAPI)->m_pDebugMonitor->DebugMessage((quint64)SYSTEM_PROCESS_ID, Output);
 }
 
 STATUS CWinDbgMonitor::SetMonitor(EModes Mode)
@@ -339,19 +347,22 @@ STATUS CWinDbgMonitor::SetMonitor(EModes Mode)
 
 	if ((Mode & eKernel) != 0)
 	{
-		/*if (!m->KernelCaptureEnabled) // todo: xxxx si
+		if (!m->KernelCaptureEnabled)
 		{
+			if(!g_KernelDebugLogger)
+				g_KernelDebugLogger = KernelDebugLogger;
+
 			NTSTATUS status = KphSetDebugLog(TRUE);
 			if (!NT_SUCCESS(status))
 				return ERR("KphSetDebugLog", status);
 			m->KernelCaptureEnabled = TRUE;
-			if (HANDLE threadHandle = PhCreateThread(0, (PUSER_THREAD_START_ROUTINE)DbgEventsKernelThread, this))
-				NtClose(threadHandle);
-		}*/
+			//if (HANDLE threadHandle = PhCreateThread(0, (PUSER_THREAD_START_ROUTINE)DbgEventsKernelThread, this))
+			//	NtClose(threadHandle);
+		}
 	}
 	else if(m->KernelCaptureEnabled)
 	{
-		//KphSetDebugLog(FALSE); // todo: xxxx si
+		KphSetDebugLog(FALSE);
 		m->KernelCaptureEnabled = FALSE;
 	}
 

TaskExplorer/API/Windows/ProcessHacker.cpp

@@ -12,6 +12,7 @@
 
 #include "stdafx.h"
 #include "ProcessHacker.h"
+#include <kphmsgdyn.h>
 #include <settings.h>
 
 QString CastPhString(PPH_STRING phString, bool bDeRef)
@@ -196,29 +197,65 @@ int InitPH(bool bSvc)
 	return 0;
 }
 
+bool (*g_KernelProcessMonitor)(quint64 ProcessId, quint64 ParrentId, const QString& FileName, const QString& CommandLine) = NULL;
+
+void (*g_KernelDebugLogger)(const QString& Output) = NULL;
+
 extern "C" {
 
 static VOID NTAPI KsiCommsCallback(
     _In_ ULONG_PTR ReplyToken,
     _In_ PCKPH_MESSAGE Message
     )
 {
-    PPH_FREE_LIST freelist;
-    PKPH_MESSAGE msg;
-
-    if (Message->Header.MessageId != KphMsgProcessCreate)
-    {
-        return;
-    }
-
-    freelist = KphGetMessageFreeList();
-
-    msg = (PKPH_MESSAGE)PhAllocateFromFreeList(freelist);
-    KphMsgInit(msg, KphMsgProcessCreate);
-    msg->Reply.ProcessCreate.CreationStatus = STATUS_SUCCESS;
-    KphCommsReplyMessage(ReplyToken, msg);
-
-    PhFreeToFreeList(freelist, msg);
+	switch (Message->Header.MessageId)
+	{
+		case KphMsgProcessCreate:
+		{
+			PPH_FREE_LIST freelist = KphGetMessageFreeList();
+
+			PKPH_MESSAGE msg = (PKPH_MESSAGE)PhAllocateFromFreeList(freelist);
+			KphMsgInit(msg, KphMsgProcessCreate);
+			if (g_KernelProcessMonitor) 
+			{
+				quint64 ProcessId = (quint64)Message->Kernel.ProcessCreate.TargetProcessId;
+				quint64 ParrentId = (quint64)Message->Kernel.ProcessCreate.ParentProcessId;
+
+				QString FileName;
+				UNICODE_STRING fileName = { 0 };
+				if (NT_SUCCESS(KphMsgDynGetUnicodeString(Message, KphMsgFieldFileName, &fileName))) {
+					PPH_STRING oldFileName = PhCreateString(fileName.Buffer);
+					PPH_STRING newFileName = PhGetFileName(oldFileName);
+					PhDereferenceObject(oldFileName);
+					FileName = CastPhString(newFileName);
+				}
+
+				QString CommandLine;
+				UNICODE_STRING commandLine = { 0 };
+				if (NT_SUCCESS(KphMsgDynGetUnicodeString(Message, KphMsgFieldCommandLine, &commandLine)))
+					CommandLine = QString::fromWCharArray(commandLine.Buffer, commandLine.Length / sizeof(wchar_t));
+
+				msg->Reply.ProcessCreate.CreationStatus = g_KernelProcessMonitor(ProcessId, ParrentId, FileName, CommandLine) ? STATUS_SUCCESS : STATUS_ACCESS_DENIED;
+			}
+			else
+				msg->Reply.ProcessCreate.CreationStatus = STATUS_SUCCESS;
+			KphCommsReplyMessage(ReplyToken, msg);
+
+			PhFreeToFreeList(freelist, msg);
+
+			break;
+		}
+		case KphMsgDebugPrint:
+		{
+			ANSI_STRING aStr;
+			if (NT_SUCCESS(KphMsgDynGetAnsiString(Message, KphMsgFieldOutput, &aStr)))
+			{
+				if(g_KernelDebugLogger)
+					g_KernelDebugLogger(QString::fromLatin1(aStr.Buffer, aStr.Length));
+			}
+			break;
+		}
+	}
 }
 
 }
@@ -332,6 +369,42 @@ STATUS InitKPH(QString DeviceName, QString FileName)
 	return Status;
 }
 
+bool KphSetDebugLog(bool Enable)
+{
+	NTSTATUS status;
+	KPH_INFORMER_SETTINGS Settings;
+	if (NT_SUCCESS(status = KphGetInformerSettings(&Settings))) {
+		Settings.DebugPrint = Enable;
+		status = KphSetInformerSettings(&Settings);
+	}
+	return NT_SUCCESS(status);
+}
+
+bool KphSetSystemMon(bool Enable)
+{
+	if (!KphCommsIsConnected())
+		return false;
+
+	NTSTATUS status;
+	KPH_INFORMER_SETTINGS Settings;
+	if (NT_SUCCESS(status = KphGetInformerSettings(&Settings))) {
+		Settings.ProcessCreate = Enable;
+		status = KphSetInformerSettings(&Settings);
+	}
+	return NT_SUCCESS(status);
+}
+
+bool KphGetSystemMon()
+{
+	if (!KphCommsIsConnected())
+		return false;
+
+	KPH_INFORMER_SETTINGS Settings;
+	if (NT_SUCCESS(KphGetInformerSettings(&Settings)))
+		return Settings.ProcessCreate;
+	return false;
+}
+
 void PhShowAbout(QWidget* parent)
 {
 		QString AboutCaption = QString(

TaskExplorer/API/Windows/ProcessHacker.h

@@ -96,6 +96,10 @@ int InitPH(bool bSvc = false);
 
 STATUS InitKPH(QString DeviceName, QString FileName);
 
+bool KphSetDebugLog(bool Enable);
+bool KphSetSystemMon(bool Enable);
+bool KphGetSystemMon();
+
 void PhShowAbout(QWidget* parent);
 
 #endif