Releases: supervoidcoder/win-witr
win-witr v0.1.10
This adds the Listening: entry in win-witr just like witr! It uses iphlpapi.h to find out what ports are linked to each PID. If you run this as admin, you can even find some interesting stuff about existing Windows processes! If you see a high port number on a process such as lsass.exe, say, "49664", that's normal! Even I only learned that today...
Have fun inspecting which processes are torrenting 10 terabytes of uncensored "ram sticks breaking" footage!
Changes
✨ Features
- Make it look like witr (90337c4)
- Add a listening entry which shows which ports a process is listening to (aedc733)
🐛 Fixes
win-witr v0.1.9
Now you can see the RAM usage of a process straight from win-witr! Gone are the days where you have to wonder why there's a suspicious process born from WINWORD and uses up 12 GB of RAM
Changes
✨ Features
🐛 Fixes
- Make non-ansi path display correctly and fix int overflow error by using unsigned long long (b17f34f)
- Add missing bracket to RAM usage if (db284d3)
- Fix syntax error due to misplaced apostrophe (267924b)
win-witr v0.1.8
This adds the Working Directory: entry to win-witr's output. Making it was easy, all I had to do was copy the GetCommandLine function(used for the Command: entry) and change a few offsets that led to the working dir inside the PEB.
Changes
✨ Features
- Add working directory by copying the GetCommandLine function and changing the offsets (1b5141c)
🐛 Fixes
- Add newline to command and working directory output (6c2a99d)
win-witr v0.1.7
This adds the "Command:" entry in win-witr! This took unnecessarily longer than it had to because I used undocumented ntdll.dll functions to walk the PEB of a process. This meant I had to manually write support for all of these scenarios:
- ARM64 --> ARM64
- x64 --> x64
- x86 --> x86
- x64 --> x86 (via WoW64)
- x86 --> x64 (this sounds very illegal, but it actually uses another undocumented function that reads the memory "virtually" so you can access it. even then there's still other tricks like Heaven's Gate so it's really not that impossible)
- ARM64 --> WoW64
Most of it was copy-paste, but it took me basically a whole week. The fun part is? This could've been all easily avoided if I had just used WMI like the original witr, which used Get-CimInstance (which is WMI under the hood)! But WMI is notorious for being slow, adding around 200ms for EVERY query, which is a lot. So I did all this work and almost 700 extra lines of code just to scrape off a few hundred milliseconds. Hey, at least it was exciting! MWAHHhAHAHAHAH
Changes
✨ Features
- Add error handling for function pointer retrieval in main.cpp (68c537d)
- read WoW64 from x64 and arm64 (66e342b)
- Address code review issues. Fixed label with undefined block in build.yml. Fixed version number in release.yml and main.cpp. (90a7a56)
- Add PROCESS_BASIC_INFORMATION64 structure and update function pointer for NtWow64QueryInformationProcess64 (8054ef0)
- Add support for reading command line of 32-bit and 64-bit processes in Windows using undocumented ntdll.dll functions. That's right! UNDOCUMENTED!! MWAHHAHAHAH (e586c8e)
- make it so the program actually knows the version (960e7ea)
- add force_ansi env var (5291195)
- Add command entry by reading process PEB (cddb4f6)
🐛 Fixes
- version (29a3138)
- version number embed during compilation (65c6fbd)
- Add error handling for build process in release.yml (bb1be52)
- Improve error handling for function pointer retrieval and memory access in process command line reading (942e314)
- Replace AreWeWoW64 with IsWow64Process because i'm stupid and used teh wrong functions that didn't exis tbecause they don't exist and they don't exist due to the fact that they don't exist since they don't exist in the existence of the existencial nt kernel (5e35271)
- missing bracket (4e70436)
- correct wow64 checking (932b51f)
- add debug log (7d4d552)
- CI TESTS (51d6a74)
- add fail-fast false (1fab362)
- update error messages for Git Bash and add architecture support in GetCommandLine function (c561d7b)
- stdcerr remove (aca3416)
- add missing newline after User entry (8487b74)
- Fix typos and wrong functions (09e2dea)
- Add x64 implementation to manually read process PEB and return command line string (43b0330)
- a (07fce97)
- remove stupid useless defines (13e2ace)
- try changing dword to size_t (f20951d)
- return pointer instead of character and add missing include statement (b66390e)
- try adding #define (3c3df85)
♻️ Refactoring
- Remove debug and error logging statements for function pointer retrieval and memory access SINCE IT FINALLY WORKS NOW (6290464)
🔄 CI/CD
- add provjobd.exe handling to process.bat and create provdjob.bat (6cc86f3)
- add provjobd.exe entries to process.bat (3e3e1a1)
- add hosted-compute-agent to process.bat (151bbfc)
- more tests (038d172)
- Remove wrong or not working tests from process.bat test CI (f27388c)
- add way more process tests ci (3d24e3c)
💄 Style
- made error statements nicer (4e731b5)
📋 Other Changes
- address code review (7ddec09)
- IDK (f82f6f2)
- just add a bunch of debugs for now (3a77bd6)
- Merge branch 'main' into command-and-git-peb (16110ec)
- Merge branch 'main' into command-and-git-peb (ef2601e)
- Merge pull request #63 from supervoidcoder/main (405172c)
win-witr v0.1.6
Changes
✨ Features
- Add color to Target and Process like witr. Also add error validation (9616ba5)
- Add Target and Process fields, just like witr. This makes it so you can see the name and pid of the process name you are looking up. It can be a bit redundant, but it's in witr, so hey (358bb7d)
🐛 Fixes
- Fix syntax error in Line 599 regarding misplaced << in cout (657ae0e)
💄 Style
- Add a space in the Process entry to make it look better and remove redundant output (ae89516)
📋 Other Changes
- Avoid returning the PID as a “process name” when no match is found. (ed7e904)
win-witr v0.1.5
Changes
✨ Features
- Add error checks for token/SID queries to prevent crashes and invalid data. (5e40214)
- add TrustedInstaller.exe to CI tests (3ec04e3)
- fixed wstring errors and added blue colors for user (410c6ca)
- added user entry on output. Now it shows what user started a specific process. (98c8f4b)
🐛 Fixes
- misplaced brace } (cd1c3c7)
- remove trusted installer (didn't work) (b1d8fd6)
- Permission error fixed by adding a fallback when calling process_query_information and add a PROCESS_QUERY_LIMITED_INFORMATION fallback (fa95faf)
- syntax error due to misplaced braces (a9142c1)
- Convert Wide String to regular string so that cout can process it while displaying user. (a0fd0c7)
win-witr v0.1.4
win-witr v0.1.3
Changes
✨ Features
- add one indentation so it looks cleaner 🤤🧼🫧🧹🪥🧽🚿 (94db26a)
- this will probably work (made it so that it can do the um children) (9532927)
- highlight target pid (d01e60e)
- keep track of children (931ab81)
- magenta └─ (c6f7ea3)
- start doing it (not done or testde) (29331fb)
🐛 Fixes
- addreess code review issues (790ac4a)
- wrong place lol (596a613)
- not showing top process (c762e4e)
- indentation and formatting (probably) (fcf24d9)
- test if it fixed (93da5fb)
- mangled brazes (7715300)
- logic ahh error (afa1994)
- main.cpp(285): error C2143: syntax error: missing ';' before '==' (4bd5ea5)
- main.cpp(320): warning C4551: function call missing argument list main.cpp(334): error C2181: illegal else without matching if (43ddf1a)
- i keep forgetting to add semicolons (b94b9d2)
- syntax error (c399996)
- remove leftover from copied loop (will continue working later) (247d2fa)
📋 Other Changes
win-witr v0.1.2
Changes
✨ Feature: add fallback to process inspection so it doesn't fail on high privilege processes
The previous little handle opener was aggressive, requesting read access directly to the process' actual memory. This can get us rejected if called on a very high privilege process, such as lsass.exe. That means that we couldn't read the memory even WITH SeDebugPrivilege enabled. Windows doesn't want ya sneaking around in that!
So for that reason, I've added a fallback that only requests limited memory access, which should allow us to read some information about the process
This has been tested and it does let us get info about lsass.exe and even System! Woohoo!
Commit: ca4169e
win-witr v0.1.1
Changes
🐛 Fix: the unicode doesn't work escaped
it used to show up as ?? instead of └─
Commit: 727df43