This repository has been archived by the owner on Aug 26, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 13
/
tasklist_wmi.cs
287 lines (258 loc) · 10.5 KB
/
tasklist_wmi.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
/*
* USAGE: tasklist_wmi.exe
*
* List processes on local or remote system, optionally filter by ID, name, or WQL query
*
* Examples:
* tasklist_wmi.exe /v
*
* tasklist_wmi.exe /S 192.168.20.10 /FI "Name Like 'cmd%'"
*
* tasklist_wmi.exe /S 192.168.20.10 /FI "CommandLine Like '%svchost%'"
*
* tasklist_wmi.exe /S 192.168.20.10 /U Desktop-624L8K3\Administrator /P password /FI "CommandLine Like '%svchost%'"
*/
// Source:
// - https://stackoverflow.com/questions/777548/how-do-i-determine-the-owner-of-a-process-in-c
// C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /t:exe /out:bin\tasklist_wmi.exe tasklist_wmi.cs
using System;
using System.Collections.Generic;
using System.Management;
class TaskList
{
public static void PrintUsage()
{
Console.WriteLine(@"List processes on local or remote system, optionally filter by ID or name
USAGE:
tasklist_wmi.exe [/S system [/U [domain\]username /P password]] [ [/PID processid | /IM imagename | /FI ""WQL where clause""] ] [/V] [/D ""<delimiter>""] [/?]
*NOTE*: When using /FI, you must provide a Win32_Process-compatible WMI query language condition string rather than a standard tasklist filter. You may use '%' as a wildcard
Examples:
tasklist_wmi.exe /v
tasklist_wmi.exe /S 192.168.20.10 /FI ""Name Like 'cmd%'""
tasklist_wmi.exe /S 192.168.20.10 /FI ""CommandLine Like '%svchost%'""
tasklist_wmi.exe /S 192.168.20.10 /U Desktop-624L8K3\Administrator /P password /FI ""CommandLine Like '%svchost%'""");
}
public static void Main(string[] args)
{
try
{
int max_key_length = 15;
string system = ".";
string username = "";
string password = "";
string delimiter = "";
int pid = -1;
string image = "";
string condition = "";
bool pid_set = false;
bool image_set = false;
bool condition_set = false;
bool verbose_set = false;
// Parse arguments
for (int i = 0; i < args.Length; i++)
{
string arg = args[i];
switch (arg.ToUpper())
{
case "-D":
case "/D":
i++;
try
{
delimiter = args[i];
}
catch (IndexOutOfRangeException)
{
throw new ArgumentException("No delimiter specified");
}
break;
case "-S":
case "/S":
i++;
try
{
system = args[i].Trim(new Char[] { '\\', ' ' });
}
catch (IndexOutOfRangeException)
{
throw new ArgumentException("No system specified");
}
break;
case "-PID":
case "/PID":
i++;
bool test = int.TryParse(args[i], out pid);
if (test == false)
{
throw new ArgumentException("Invalid PID");
}
pid_set = pid > -1;
break;
case "-IM":
case "/IM":
i++;
try
{
image = args[i];
}
catch (IndexOutOfRangeException)
{
throw new ArgumentException("No image specified");
}
image_set = true;
break;
case "-FI":
case "/FI":
i++;
try
{
condition = args[i];
}
catch (IndexOutOfRangeException)
{
throw new ArgumentException("No filter specified");
}
condition_set = true;
break;
case "-U":
case "/U":
i++;
try
{
username = args[i];
}
catch (IndexOutOfRangeException)
{
throw new ArgumentException("No username specified");
}
break;
case "-P":
case "/P":
i++;
try
{
password = args[i];
}
catch (IndexOutOfRangeException)
{
throw new ArgumentException("No password specified");
}
break;
case "-V":
case "/V":
verbose_set = true;
break;
case "/?":
PrintUsage();
return;
}
}
// Error out if more than one of PID, image, and filter are specified
if ((pid_set && image_set) || (pid_set && condition_set) || (image_set && condition_set))
{
throw new ArgumentException("PID and image cannot both be set");
}
var conn_opts = new ConnectionOptions();
// Apply username and password if specified
if (username.Length > 0 && password.Length > 0)
{
conn_opts.Username = username;
conn_opts.Password = password;
}
else if (username.Length > 0 || password.Length > 0)
{
// Throw an exception if username or password were specified, but not both
throw new ArgumentException("Please specify username and password");
}
ManagementPath path = new ManagementPath() { NamespacePath = @"root\cimv2", Server = system };
ManagementScope scope = new ManagementScope(path, conn_opts);
if (pid_set)
{
condition = "PROCESSID = '" + pid + "'";
}
else if (image_set)
{
condition = "NAME = '" + image + "'";
}
List<string> selectedProperties = new List<string>(new string[] { "ProcessId", "ParentProcessId", "SessionId", "Name", "Handle", "ExecutablePath", "CommandLine" });
SelectQuery query = new SelectQuery("Win32_Process", condition, selectedProperties.ToArray());
Dictionary<string, string> proc_info;
List<Dictionary<string, string>> processes = new List<Dictionary<string, string>>();
// Execute query within scope and iterate through results
using (var searcher = new ManagementObjectSearcher(scope, query))
{
foreach (ManagementObject proc in searcher.Get())
{
proc_info = new Dictionary<string, string>();
foreach (string prop in selectedProperties)
{
if (proc != null)
{
object val = proc.GetPropertyValue(prop);
if (val != null)
{
proc_info.Add(prop, val.ToString());
}
}
}
// Try to get the process owner
if (verbose_set)
{
try
{
string[] argList = new string[] { string.Empty, string.Empty };
int returnVal = Convert.ToInt32(proc.InvokeMethod("GetOwner", argList));
if (returnVal == 0)
{
// Store DOMAIN\user
proc_info.Add("User Name", argList[1] + "\\" + argList[0]);
}
}
catch (Exception e)
{
proc_info.Add("User Name", e.Message.ToString());
}
}
processes.Add(proc_info);
}
}
if (processes.Count > 0)
{
// Replace or remove "Handle" property (only used by GetOwner when running in verbose mode)
if (verbose_set)
{
selectedProperties[4] = "User Name";
}
else
{
selectedProperties.RemoveAt(4);
}
foreach (Dictionary<string, string> proc in processes)
{
// Loop through the properties in the order specified above
foreach (string prop in selectedProperties)
{
if (proc.ContainsKey(prop))
{
Console.WriteLine("{0} : {1}", prop.PadRight(max_key_length), proc[prop]);
}
}
// Separate each process entry with the specified delimiter
Console.WriteLine(delimiter);
}
}
else
{
Console.WriteLine("No processes found matching the specified criteria\n");
}
}
catch (Exception e)
{
Console.Error.WriteLine("[-] ERROR: {0}", e.Message.Trim());
}
finally
{
Console.WriteLine("\nDONE");
}
}
}