Detect if a process is using a VEH.

BeneficialCode · BeneficialCode · commit 1a9eb489470d · 2025-11-04T12:44:57.000+08:00
diff --git a/WinArk/MainFrame.cpp b/WinArk/MainFrame.cpp
@@ -61,7 +61,8 @@ void CMainFrame::InitProcessTable() {
 		{19,"Process Name",0},
 		{19,"Process ID",0},
 		{9,"Session",0},
-		{20,"User Name",0},
+		{32,"User Name",0},
+		{9,"Has VEH",0},
 		{20,"EPROCESS",0},
 		{12,"Priority",0},
 		{9,"Threads",0},
diff --git a/WinArk/ProcessInfoEx.cpp b/WinArk/ProcessInfoEx.cpp
@@ -201,4 +201,8 @@ int ProcessInfoEx::GetImageIndex(CImageList images) const {
 			_image = images.AddIcon(hIcon);
 	}
 	return _image;
+}
+
+bool ProcessInfoEx::HasVEH(HANDLE hProcess) const {
+	return _process->HasVEH(hProcess);
 }
diff --git a/WinArk/ProcessInfoEx.h b/WinArk/ProcessInfoEx.h
@@ -37,6 +37,7 @@ class ProcessInfoEx {
 	const std::wstring& GetCompanyName() const;
 	const std::wstring& GetDescription() const;
 	const std::wstring& GetVersion() const;
+	bool HasVEH(HANDLE hProcess) const;
 
 	int GetBitness() const;
 	const WinSys::Process* GetProcess() const {
diff --git a/WinArk/ProcessTable.cpp b/WinArk/ProcessTable.cpp
@@ -83,6 +83,14 @@ int CProcessTable::ParseTableEntry(CString& s, char& mask, int& select, std::sha
 			break;
 		case ProcessColumn::Eprocess:
 			s.Format(L"0x%p", info->EProcess);
+			break;
+		case ProcessColumn::HasVEH:
+		{
+			auto hProcess = DriverHelper::OpenProcess(info->Id, PROCESS_VM_READ | PROCESS_QUERY_INFORMATION);
+			s.Format(L"%s", px.HasVEH(hProcess) ? L"Yes" : L"No");
+			::CloseHandle(hProcess);
+		}
+			
 			break;
 		default:
 			break;
@@ -275,7 +283,7 @@ LRESULT CProcessTable::OnProcessKill(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*
 	auto& p = m_Table.data.info[selected];
 
 	CString text;
-	text.Format(L"ɱ�����̣�%u (%ws)?", p->Id, p->GetImageName().c_str());
+	text.Format(L"Kill Process��%u (%ws)?", p->Id, p->GetImageName().c_str());
 	if (AtlMessageBox(*this, (PCWSTR)text, IDS_TITLE, MB_ICONWARNING | MB_OKCANCEL | MB_DEFBUTTON2) == IDCANCEL)
 		return 0;
 
@@ -294,7 +302,7 @@ LRESULT CProcessTable::OnProcessResume(WORD /*wNotifyCode*/, WORD /*wID*/, HWND
 	auto& p = m_Table.data.info[selected];
 
 	CString text;
-	text.Format(L"�ָ�����: %u (%ws)?", p->Id, p->GetImageName().c_str());
+	text.Format(L"Resume Process: %u (%ws)?", p->Id, p->GetImageName().c_str());
 	if (AtlMessageBox(*this, (PCWSTR)text, IDS_TITLE, MB_ICONWARNING | MB_OKCANCEL | MB_DEFBUTTON2) == IDCANCEL)
 		return 0;
 
@@ -323,7 +331,7 @@ LRESULT CProcessTable::OnProcessSuspend(WORD /*wNotifyCode*/, WORD /*wID*/, HWND
 	auto& p = m_Table.data.info[selected];
 
 	CString text;
-	text.Format(L"�������: %u (%ws)?", p->Id, p->GetImageName().c_str());
+	text.Format(L"Suspend Process: %u (%ws)?", p->Id, p->GetImageName().c_str());
 	if (AtlMessageBox(*this, (PCWSTR)text, IDS_TITLE, MB_ICONWARNING | MB_OKCANCEL | MB_DEFBUTTON2) == IDCANCEL)
 		return 0;
 
diff --git a/WinArk/ProcessTable.h b/WinArk/ProcessTable.h
@@ -97,7 +97,7 @@ class CProcessTable
 
 private:
 	enum class ProcessColumn {
-		Name,Id,Session,UserName,Eprocess,Priority,Threads,Handles,Attributes,CreateTime,Description,CompanyName,Version,ExePath,CmdLine
+		Name,Id,Session,UserName,HasVEH,Eprocess,Priority,Threads,Handles,Attributes,CreateTime,Description,CompanyName,Version,ExePath,CmdLine
 	};
 	//std::vector<std::shared_ptr<WinSys::ProcessInfo>> m_Processes;
 	mutable std::unordered_map<WinSys::ProcessInfo*, ProcessInfoEx> m_ProcessesEx;
diff --git a/WinSysCore/Processes.cpp b/WinSysCore/Processes.cpp
@@ -416,4 +416,34 @@ SIZE_T Process::GetImageSize(HANDLE hProcess, DWORD_PTR imageBase) {
 		return info.RegionSize;
 	}
 	return 0;
+}
+
+bool Process::HasVEH(HANDLE hProcess) const {
+	ULONG len = 0;
+	PROCESS_BASIC_INFORMATION info;
+	DWORD status = ::NtQueryInformationProcess(hProcess, ProcessBasicInformation, &info, sizeof(info), &len);
+	if (!NT_SUCCESS(status))
+		return false;
+
+	if (info.PebBaseAddress == nullptr)
+		return false;
+	DWORD flags = 0;
+	DWORD* pCrossProcessFlags = nullptr;
+	PROCESS_EXTENDED_BASIC_INFORMATION extInfo;
+	if (!GetExtendedInfo(hProcess, &extInfo))
+		return false;
+	if (extInfo.IsWow64Process) {
+		pCrossProcessFlags = reinterpret_cast<DWORD*>((BYTE*)info.PebBaseAddress + 0x1000 + 0x28);
+	}
+	else {
+		pCrossProcessFlags = reinterpret_cast<DWORD*>((BYTE*)info.PebBaseAddress + 0x50);
+	}
+
+	if (!::ReadProcessMemory(hProcess, pCrossProcessFlags, &flags, sizeof(flags), nullptr))
+		return false;
+
+	if (flags & 0x00000004)
+		return true;
+
+	return false;
 }
diff --git a/WinSysCore/Processes.h b/WinSysCore/Processes.h
@@ -120,6 +120,7 @@ namespace WinSys {
 		static std::vector<std::pair<std::wstring, std::wstring>> GetEnvironment(HANDLE hProcess);
 		static DWORD_PTR GetImageBaseAddress(HANDLE hProcess);
 		static SIZE_T GetImageSize(HANDLE hProcess, DWORD_PTR imageBase);
+		bool HasVEH(HANDLE hProcess) const;
 
 		bool SetPriorityClass(ProcessPriorityClass pc);
 		uint32_t GetGdiObjectCount() const;

Original file line number	Diff line number	Diff line change
`@@ -201,4 +201,8 @@ int ProcessInfoEx::GetImageIndex(CImageList images) const {`
`201`	`201`	`_image = images.AddIcon(hIcon);`
`202`	`202`	`}`
`203`	`203`	`return _image;`
	`204`	`+}`
	`205`	`+`
	`206`	`+bool ProcessInfoEx::HasVEH(HANDLE hProcess) const {`
	`207`	`+ return _process->HasVEH(hProcess);`
`204`	`208`	`}`