Revert project build number. Add PEB reading to get full process name

mandiant · Oct 29, 2024 · 61020f0 · 61020f0
1 parent c809d69
commit 61020f0
Show file tree

Hide file tree

Showing 2 changed files with 209 additions and 7 deletions.
diff --git a/C/STrace/Interface.h b/C/STrace/Interface.h
@@ -109,8 +109,8 @@ class CallerInfo
 
 		auto kproc = PsGetCurrentProcess();
 
-		// this name is truncated by the OS
-		strcpy_s(processName, PsGetProcessImageFileName(kproc));
+		// have to read the PEB for full name
+		GetFullProcessName(processName, sizeof(processName));
 		isWow64 = PsGetProcessWow64Process(kproc) != NULL;
 	}
 
@@ -205,17 +205,17 @@ class CallerInfo
 					return false;
 				}
 
-				if (!pPeb32->Ldr)
+				PPEB_LDR_DATA32 Ldr = (PPEB_LDR_DATA32)pPeb32->Ldr;
+				if (!Ldr)
 				{
 					return false;
 				}
 
 				// Search in InLoadOrderModuleList
-				for (PLIST_ENTRY32 pListEntry = (PLIST_ENTRY32)((PPEB_LDR_DATA32)pPeb32->Ldr)->InLoadOrderModuleList.Flink;
-					pListEntry != &((PPEB_LDR_DATA32)pPeb32->Ldr)->InLoadOrderModuleList;
+				for (PLIST_ENTRY32 pListEntry = (PLIST_ENTRY32)Ldr->InLoadOrderModuleList.Flink;
+					pListEntry != &Ldr->InLoadOrderModuleList;
 					pListEntry = (PLIST_ENTRY32)pListEntry->Flink)
 				{
-
 					PLDR_DATA_TABLE_ENTRY32 pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks);
 
 					// unicode_string from wchar_t*
@@ -270,6 +270,71 @@ class CallerInfo
 		return true;
 	}
 
+	bool GetFullProcessName(char* ImagePathNarrowBuffer, uint16_t ImagePathNarrowBufferLength) {
+		__try {
+			if (isWow64)
+			{
+				PPEB32 pPeb32 = (PPEB32)PsGetProcessWow64Process(PsGetCurrentProcess());
+				if (pPeb32 == NULL)
+				{
+					return false;
+				}
+
+				if (!pPeb32->ProcessParameters)
+				{
+					return false;
+				}
+
+				PRTL_USER_PROCESS_PARAMETERS32 pUserProcessParams = (PRTL_USER_PROCESS_PARAMETERS32)pPeb32->ProcessParameters;
+				UNICODE_STRING32 ImagePathName32 = pUserProcessParams->ImagePathName;
+
+				// copy values to 64bit structure which is padded and aligned correctly
+				UNICODE_STRING ImagePath = UNICODE_STRING{
+					.Length = ImagePathName32.Length,
+					.MaximumLength = ImagePathName32.MaximumLength,
+					.Buffer = (PWCH)ImagePathName32.Buffer
+				};
+
+				memset(ImagePathNarrowBuffer, 0, ImagePathNarrowBufferLength);
+				ANSI_STRING ansi = { 0 };
+				ansi.Buffer = ImagePathNarrowBuffer;
+				ansi.Length = 0;
+				ansi.MaximumLength = ImagePathNarrowBufferLength;
+
+				RtlUnicodeStringToAnsiString(&ansi, &ImagePath, FALSE);
+			}
+			// Native process
+			else
+			{
+				PPEB pPeb = PsGetProcessPeb(PsGetCurrentProcess());
+				if (!pPeb)
+				{
+					return false;
+				}
+
+				if (!pPeb->ProcessParameters)
+				{
+					return false;
+				}
+
+				PRTL_USER_PROCESS_PARAMETERS pUserProcessParams = (PRTL_USER_PROCESS_PARAMETERS)pPeb->ProcessParameters;
+				UNICODE_STRING ImagePath = pUserProcessParams->ImagePathName;
+
+				memset(ImagePathNarrowBuffer, 0, ImagePathNarrowBufferLength);
+				ANSI_STRING ansi = { 0 };
+				ansi.Buffer = ImagePathNarrowBuffer;
+				ansi.Length = 0;
+				ansi.MaximumLength = ImagePathNarrowBufferLength;
+
+				RtlUnicodeStringToAnsiString(&ansi, &ImagePath, FALSE);
+			}
+		}
+		__except (EXCEPTION_EXECUTE_HANDLER) {
+			return false;
+		}
+		return true;
+	}
+
 	void UnicodeStrToNarrow(char buf[100], const char* fmt, ...) {
 		va_list args;
 		va_start(args, fmt);

diff --git a/C/STrace/NtStructs.h b/C/STrace/NtStructs.h
@@ -223,6 +223,8 @@ ULONG KphCaptureStackBackTrace(
     _Out_writes_(FramesToCapture) PVOID* BackTrace
 );
 
+NTSTATUS GetProcessNameFromPeb(_Out_writes_(BufferSize) PCHAR ProcessNameBuffer, ULONG BufferSize);
+
 typedef struct _RTL_PROCESS_MODULE_INFORMATION
 {
     HANDLE Section;
@@ -546,4 +548,139 @@ NTSTATUS KphEnumerateSystemModules(T callback){
         }
     } while (--attempts);
     return status;
-}
+}
+
+#define WOW64_POINTER(Type) ULONG
+#ifndef RTL_MAX_DRIVE_LETTERS
+#define RTL_MAX_DRIVE_LETTERS 32
+#endif
+
+typedef struct _CURDIR32
+{
+    UNICODE_STRING32 DosPath;
+    WOW64_POINTER(HANDLE) Handle;
+} CURDIR32, * PCURDIR32;
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR32
+{
+    USHORT Flags;
+    USHORT Length;
+    ULONG TimeStamp;
+    STRING32 DosPath;
+} RTL_DRIVE_LETTER_CURDIR32, * PRTL_DRIVE_LETTER_CURDIR32;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS32
+{
+    ULONG MaximumLength;
+    ULONG Length;
+
+    ULONG Flags;
+    ULONG DebugFlags;
+
+    WOW64_POINTER(HANDLE) ConsoleHandle;
+    ULONG ConsoleFlags;
+    WOW64_POINTER(HANDLE) StandardInput;
+    WOW64_POINTER(HANDLE) StandardOutput;
+    WOW64_POINTER(HANDLE) StandardError;
+
+    CURDIR32 CurrentDirectory;
+    UNICODE_STRING32 DllPath;
+    UNICODE_STRING32 ImagePathName;
+    UNICODE_STRING32 CommandLine;
+    WOW64_POINTER(PVOID) Environment;
+
+    ULONG StartingX;
+    ULONG StartingY;
+    ULONG CountX;
+    ULONG CountY;
+    ULONG CountCharsX;
+    ULONG CountCharsY;
+    ULONG FillAttribute;
+
+    ULONG WindowFlags;
+    ULONG ShowWindowFlags;
+    UNICODE_STRING32 WindowTitle;
+    UNICODE_STRING32 DesktopInfo;
+    UNICODE_STRING32 ShellInfo;
+    UNICODE_STRING32 RuntimeData;
+    RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
+
+    WOW64_POINTER(ULONG_PTR) EnvironmentSize;
+    WOW64_POINTER(ULONG_PTR) EnvironmentVersion;
+    WOW64_POINTER(PVOID) PackageDependencyData;
+    ULONG ProcessGroupId;
+    ULONG LoaderThreads;
+
+    UNICODE_STRING32 RedirectionDllName; // REDSTONE4
+    UNICODE_STRING32 HeapPartitionName; // 19H1
+    WOW64_POINTER(ULONGLONG) DefaultThreadpoolCpuSetMasks;
+    ULONG DefaultThreadpoolCpuSetMaskCount;
+    ULONG DefaultThreadpoolThreadMaximum;
+} RTL_USER_PROCESS_PARAMETERS32, * PRTL_USER_PROCESS_PARAMETERS32;
+
+typedef struct _CURDIR
+{
+    UNICODE_STRING DosPath;
+    HANDLE Handle;
+} CURDIR, * PCURDIR;
+
+#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002
+#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR
+{
+    USHORT Flags;
+    USHORT Length;
+    ULONG TimeStamp;
+    STRING DosPath;
+} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS
+{
+    ULONG MaximumLength;
+    ULONG Length;
+
+    ULONG Flags;
+    ULONG DebugFlags;
+
+    HANDLE ConsoleHandle;
+    ULONG ConsoleFlags;
+    HANDLE StandardInput;
+    HANDLE StandardOutput;
+    HANDLE StandardError;
+
+    CURDIR CurrentDirectory;
+    UNICODE_STRING DllPath;
+    UNICODE_STRING ImagePathName;
+    UNICODE_STRING CommandLine;
+    PVOID Environment;
+
+    ULONG StartingX;
+    ULONG StartingY;
+    ULONG CountX;
+    ULONG CountY;
+    ULONG CountCharsX;
+    ULONG CountCharsY;
+    ULONG FillAttribute;
+
+    ULONG WindowFlags;
+    ULONG ShowWindowFlags;
+    UNICODE_STRING WindowTitle;
+    UNICODE_STRING DesktopInfo;
+    UNICODE_STRING ShellInfo;
+    UNICODE_STRING RuntimeData;
+    RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
+
+    ULONG_PTR EnvironmentSize;
+    ULONG_PTR EnvironmentVersion;
+
+    PVOID PackageDependencyData;
+    ULONG ProcessGroupId;
+    ULONG LoaderThreads;
+    UNICODE_STRING RedirectionDllName; // REDSTONE4
+    UNICODE_STRING HeapPartitionName; // 19H1
+    PULONGLONG DefaultThreadpoolCpuSetMasks;
+    ULONG DefaultThreadpoolCpuSetMaskCount;
+    ULONG DefaultThreadpoolThreadMaximum;
+    ULONG HeapMemoryTypeMask; // WIN11
+} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;