1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
use std::mem::{size_of, zeroed};
use std::ptr::null_mut;
use winapi::shared::minwindef::{DWORD, FALSE, LPCVOID, LPVOID, TRUE};
use winapi::um::handleapi::INVALID_HANDLE_VALUE;
use winapi::um::memoryapi::{ReadProcessMemory, WriteProcessMemory};
use winapi::um::processthreadsapi::OpenProcess;
use winapi::um::tlhelp32::{Module32FirstW, Module32NextW, MODULEENTRY32W, Process32FirstW, Process32NextW, PROCESSENTRY32W};
use winapi::um::winnt::{HANDLE, PROCESS_ALL_ACCESS};
use module::Module;
use snapshot::Snapshot;
use utils::{close_h, WinErrorKind, WinResult, remove_nil_bytes};
/// Represents a system process, posses a PID, name and an open [`HANDLE`]
pub struct Process {
name: String,
pid: DWORD,
handle: HANDLE,
}
impl Process {
/// Find a [`Process`] from it's executable's name
/// [Reference(s)]:
/// https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32firstw
/// https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32nextw
/// https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/ns-tlhelp32-processentry32w
pub fn find(name: &str) -> WinResult<Self> {
unsafe {
let snapshot = Snapshot::process();
let mut p_entry = zeroed::<PROCESSENTRY32W>();
// `dwSize` must be initialized with size of PROCESSENTRY32W before Process32FirstW or Process32NextW are called
p_entry.dwSize = size_of::<PROCESSENTRY32W>() as DWORD;
if !snapshot.handle().is_null() &&
snapshot.handle() != INVALID_HANDLE_VALUE &&
Process32FirstW(snapshot.handle(), &mut p_entry) != FALSE {
while {
if let Ok(p_name) = remove_nil_bytes(&p_entry.szExeFile) {
if p_name.starts_with(name) {
let pid = p_entry.th32ProcessID;
// Desire all access despite *probably* only needing VM_READ and VM_WRITE
let h_proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
return Ok(Process {
name: p_name,
pid,
handle: h_proc,
});
}
}
Process32NextW(snapshot.handle(), &mut p_entry) != FALSE
} {}
}
}
Err(WinErrorKind::FindProcessError)
}
/// Find a process's module (dll) by it's name
/// [Reference(s)]:
/// https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-module32firstw
/// https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-module32nextw
/// https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/ns-tlhelp32-moduleentry32w
pub fn find_module(&self, name: &str) -> WinResult<Module> {
unsafe {
let snapshot = Snapshot::module(self);
let mut m_entry = zeroed::<MODULEENTRY32W>();
// `dwSize` must be initialized with size of MODULEENTRY32W before Module32FirstW or Module32NextW are called
m_entry.dwSize = size_of::<MODULEENTRY32W>() as DWORD;
if !snapshot.handle().is_null() &&
snapshot.handle() != INVALID_HANDLE_VALUE &&
Module32FirstW(snapshot.handle(), &mut m_entry) != FALSE {
while {
if let Ok(m_name) = remove_nil_bytes(&m_entry.szModule) {
if m_name.starts_with(name) {
return Ok(Module {
name: m_name,
address: m_entry.modBaseAddr as DWORD,
len: m_entry.modBaseSize,
});
}
}
Module32NextW(snapshot.handle(), &mut m_entry) != FALSE
} {}
}
}
Err(WinErrorKind::FindModuleError)
}
/// Write to a process's memory, not relative to module offset
/// [Reference]: https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory
pub fn write_mem<T>(&self, buffer: &T, address: DWORD) -> WinResult<()> {
unsafe {
if WriteProcessMemory(self.handle,
address as LPVOID,
buffer as *const T as LPCVOID,
size_of::<T>(),
null_mut()) == TRUE {
Ok(())
} else {
Err(WinErrorKind::WriteMemoryError)
}
}
}
/// Write to a process's memory relative to the offset of a module
#[inline]
pub fn write_mem_relative<T>(&self, buffer: &T, module_name: &str, address: DWORD) -> WinResult<()> {
if let Ok(module) = self.find_module(module_name) {
self.write_mem(buffer, module.address() + address)
} else {
Err(WinErrorKind::WriteMemoryError)
}
}
/// Read a process's memory, not relative to module offset
/// [Reference]: https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory
pub fn read_mem<T>(&self, address: DWORD) -> WinResult<T> {
unsafe {
// Initialize buffer
let mut buf = zeroed::<T>();
if ReadProcessMemory(self.handle,
address as LPVOID,
&mut buf as *mut T as LPVOID,
size_of::<T>(),
null_mut()) == TRUE {
Ok(buf)
} else {
Err(WinErrorKind::ReadMemoryError)
}
}
}
/// Read a process's memory address relative to the offset of a module
#[inline]
pub fn read_mem_relative<T>(&self, module_name: &str, address: DWORD) -> WinResult<T> {
if let Ok(module) = self.find_module(module_name) {
self.read_mem(module.address() + address)
} else {
Err(WinErrorKind::ReadMemoryError)
}
}
#[inline]
pub fn name(&self) -> &str {
&self.name
}
#[inline]
pub fn pid(&self) -> DWORD {
self.pid
}
#[inline]
pub fn handle(&self) -> HANDLE {
self.handle
}
}
/// Close [`Process`] [`HANDLE`] when [`Process`] goes out of scope or the program exits/panics
impl Drop for Process {
fn drop(&mut self) {
close_h(self.handle)
}
}