-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathprocutil.idc
78 lines (67 loc) · 1.63 KB
/
procutil.idc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
/*
Process utility script
(c) Hex-Rays
*/
#include <idc.idc>
//--------------------------------------------------------------------------
static KillProcess(pid)
{
if (!AttachToProcess(pid))
return 0;
StopDebugger();
// Normally, we should get a PROCESS_EXIT event
GetDebuggerEvent(WFNE_SUSP, -1);
}
//--------------------------------------------------------------------------
static GetProcessCommandLine()
{
// Get address of the GetCommandLine API
auto e, GetCmdLn = LocByName("kernel32_GetCommandLineA");
if (GetCmdLn == BADADDR)
return 0;
// Set its prototype for Appcall
SetType(GetCmdLn, "char * __stdcall x();");
try
{
// Retrieve the command line using Appcall
return GetCmdLn();
}
catch (e)
{
return 0;
}
}
//--------------------------------------------------------------------------
static FindProcessByName(name)
{
auto q = GetProcessQty();
auto i, procs = object(), pcount=0;
for (i=0;i<q;i++)
{
auto pname = GetProcessName(i);
// No match?
if (strstr(pname, name) == -1)
continue;
procs[pcount] = GetProcessPid(i);
pcount++;
}
procs.count = pcount;
return procs;
}
//--------------------------------------------------------------------------
static AttachToProcess(pid)
{
auto code = AttachProcess(pid, -1);
if (code != 1)
return 0;
// Normally, we should get a PROCESS_ATTACH event
GetDebuggerEvent(WFNE_SUSP, -1);
return 1;
}
//--------------------------------------------------------------------------
static DetachFromProcess()
{
DetachProcess();
// Normally, we should get a PROCESS_DETACH event
GetDebuggerEvent(WFNE_SUSP, -1);
}