moon-driver-utils 0.1.0

use core::ffi::c_void;

use wdk::println;
use wdk_sys::{
    ntddk::{PsLookupProcessByProcessId, SeLocateProcessImageName},
    LIST_ENTRY, NT_SUCCESS, PEPROCESS, UNICODE_STRING, _KPROCESS,
};

use crate::{
    error::Error,
    kernel_fucntion::PsGetProcessImageFileName,
    string::{cstr_to_rust_str, get_file_name_from_path, unicode_string_to_string},
};

pub fn get_process_name(
    eprocess: *mut c_void,
    process_name_us: &mut UNICODE_STRING,
) -> Result<(), Error> {
    // TODO: singleton
    // let Ok(kernel_base) = find_kernel_base() else{
    //     println!("kernel base not find");
    //     return Err(Error::NotFind);
    // };

    // let dbgkp_section_to_file_handle = unsafe {
    //     kernel_base.add(OS_INFO.func_offset.dbgkp_section_to_file_handle as usize)
    // };

    unsafe {
        // let dbgkp_section_to_file_handle: DbgkpSectionToFileHandleFn = core::mem::transmute(dbgkp_section_to_file_handle);
        // let section_object = *(eprocess.add(OS_INFO.offset.eprocess_section_object) as *mut u64);
        // let file_handle = dbgkp_section_to_file_handle(section_object as _);
        // println!("file handle:{:p}",file_handle);

        // let mut file_object: *mut c_void = core::ptr::null_mut();
        // let status = ObReferenceObjectByHandle(file_handle, 0, *IoFileObjectType, KernelMode as _, &mut file_object as _,core::ptr::null_mut());
        // if !NT_SUCCESS(status){
        //     println!("file object not find");
        //     return Err(Error::NotFind);
        // }
        // println!("file object:{:p}",file_object);

        // asm!{"int 3"}

        let mut us: *mut UNICODE_STRING = core::ptr::null_mut();
        let r = SeLocateProcessImageName(eprocess as _, &mut us as *mut _);
        if !NT_SUCCESS(r) {
            return Err(Error::NotFind);
        } else {
            if (*us).Length == 0 {
                return Err(Error::NotFind);
            }
            println!("{}", unicode_string_to_string(&*us));
            let us = &mut (*us);
            get_file_name_from_path(us, process_name_us);
        }

        return Ok(());
    }
}

pub fn get_process_by_name(name: &str) -> Result<*mut _KPROCESS, Error> {
    for i in (4..=262144).step_by(4) {
        let process = lookup_process(i as _);
        let Ok(process) = process else {
            continue;
        };

        unsafe {
            let cname: *mut u8 = PsGetProcessImageFileName(process as _);
            if cstr_to_rust_str(cname) == name {
                return Ok(process);
            }
        }
    }

    Err(Error::NotFind)
}

pub fn lookup_process(pid: u32) -> Result<*mut _KPROCESS, Error> {
    let mut process: *mut _KPROCESS = core::ptr::null_mut();
    let status = unsafe { PsLookupProcessByProcessId(pid as _, &mut process as *mut PEPROCESS) };
    if !NT_SUCCESS(status) {
        return Err(Error::NotFind);
    }
    Ok(process)
}

pub unsafe fn unlink_process_from_active_list(
    process: *mut core::ffi::c_void,
    active_process_links_offset: usize,
) {
    if process.is_null() || active_process_links_offset == 0 {
        return;
    }

    let active_process_links_ptr =
        (process as usize + active_process_links_offset) as *mut LIST_ENTRY;

    let flink = (*active_process_links_ptr).Flink;
    let blink = (*active_process_links_ptr).Blink;

    if !flink.is_null() && !blink.is_null() {
        // Blink->Flink = Flink;
        (*blink).Flink = flink;
        // Flink->Blink = Blink;
        (*flink).Blink = blink;
    }

    // Self loop to isolate
    (*active_process_links_ptr).Flink = active_process_links_ptr;
    (*active_process_links_ptr).Blink = active_process_links_ptr;
}