Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??

I am trying to use the Win32::API module to determine if a particular Windows process has DEP enabled or not. I believe my confusion is in how to pass the appropriate type of information into GetProcessDEPPolicy(). Any help would be greatly appreciated!!!!

#!/usr/bin/perl -w use strict; use Win32::OLE; use Win32::API; my $PROCESS_QUERY_INFORMATION = 0x0400; my $TOKEN_QUERY = 0x0008; my $TOKEN_ADJUST_PRIVILEGES = 0x0020; my $SE_PRIVILEGE_ENABLED = 0x02; my $SE_DEBUG_NAME = "SeDebugPrivilege"; my $objWMIService; my $colItems; my $iResult; unless ($objWMIService = Win32::OLE->GetObject("winmgmts:{impersonatio +nLevel=impersonate}!\\\\localhost\\root\\cimv2")) { throw Error::Simple("Could not connect to WMI Service on 'localhos +t'while attempting to collect a remote item. The error returned was: + " . Win32::OLE->LastError() . "."); } unless($colItems= $objWMIService->ExecQuery("SELECT * FROM Win32_Proce +ss", "WQL",0x10 | 0x20)) { throw Error::Simple("Could not extract notification query from WMI + Service on 'localhost'. The error returned was: " . Win32::OLE->Last +Error() . "."); } my $OpenProcess = Win32::API->new('kernel32.dll', 'OpenProcess', 'NIN' +, 'N') or die $^E; my $CloseHandle = new Win32::API( 'kernel32.dll', 'CloseHandle', 'N', +'I' ) || die "Can not link to CloseHandle()"; my $GetProcessDEPPolicy = Win32::API->new('kernel32.dll', 'GetProcessD +EPPolicy', 'NPP', 'I' ) or die $^E; my $GetCurrentProcess = new Win32::API( 'Kernel32.dll', 'GetCurrentPro +cess', [], 'N' ) || die; my $OpenProcessToken = new Win32::API( 'AdvApi32.dll', 'OpenProcessTok +en', 'NNP', 'I' ) || die; my $AdjustTokenPrivileges = new Win32::API( 'AdvApi32.dll', 'AdjustTok +enPrivileges', 'NIPNPP', 'I' ) || die; my $LookupPrivilegeValue = new Win32::API( 'AdvApi32.dll', 'LookupPriv +ilegeValue', 'PPP', 'I' ) || die; foreach my $objItem (in $colItems) { if(defined($objItem->{CommandLine})) { if($objItem->{CommandLine} ne '') { print "pid: " . $objItem->{'ProcessId'} ."\n"; my $pid = sprintf("%d", $objItem->{'ProcessId'}); my $phToken = pack( "L", 0 ); my $dep = pack( "L", 0 ); if( $OpenProcessToken->Call( $GetCurrentProcess->Call(), $ +TOKEN_ADJUST_PRIVILEGES | $TOKEN_QUERY, $phToken ) ) { my $hToken = unpack( "L", $phToken ); if( SetPrivilege( $hToken, $SE_DEBUG_NAME, 1 ) ) { my $hProcess = $OpenProcess->Call( $PROCESS_QUERY_ +INFORMATION, 0, $pid ); if( $hProcess ) { print "handle: " . $hProcess ."\n"; my $return = $GetProcessDEPPolicy->Call($hProc +ess, $dep, 0); if ($return == 0) #return always equals 0, Get +LastError: The parameter is incorrect. { print "GetProcessDEPPolicy failed with err +or: " . Win32::FormatMessage(Win32::GetLastError()); } SetPrivilege( $hToken, $SE_DEBUG_NAME, 0 ); $CloseHandle->Call( $hProcess ); } else { print "OpenProcess failed with error: " . Win3 +2::FormatMessage(Win32::GetLastError()); } } $CloseHandle->Call( $hToken ); } else { print "OpenProcessToken failed with error: " . Win32:: +FormatMessage(Win32::GetLastError()); } print "System_Functions->getProcessInfo collected dep: " . + $dep ."\n"; print "System_Functions->getProcessInfo collected primary_ +window_text: " . $objItem->{'Caption'} ."\n"; } } } sub SetPrivilege { my( $hToken, $pszPriv, $bSetFlag ) = @_; my $pLuid = pack( "Ll", 0, 0 ); if( $LookupPrivilegeValue->Call( "\x00\x00", $pszPriv, $pLuid ) ) { my $pPrivStruct = pack( "LLlL", 1, unpack( "Ll", $pLuid ), ( ( + $bSetFlag )? $SE_PRIVILEGE_ENABLED : 0 ) ); $iResult = ( 0 != $AdjustTokenPrivileges->Call( $hToken, 0,$pP +rivStruct, length( $pPrivStruct ), 0, 0 ) ); } print "iResult: $iResult\n"; return( $iResult ); }

my $return = $GetProcessDEPPolicy->Call($hProcess, $dep, 0); always equals zero and the Win32::GetLastError() is "The parameter is incorrect." I cannot figure out which parameter is incorrect. Is there more verbose logging I can enable somehow?


In reply to Win32::API GetProcessDEPPolicy usage by dt667

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others making s'mores by the fire in the courtyard of the Monastery: (6)
    As of 2014-08-20 22:05 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      The best computer themed movie is:











      Results (124 votes), past polls