Changeset b7ed6ac in nscp

Timestamp:

03/21/08 18:15:51 (5 years ago)

Author:

Michael Medin <michael@…>

Branches:

master, 0.4.0, 0.4.1, 0.4.2, stable

Children:

367bf20

Parents:

dd02c15

Message:

+ Added command line support for process checks

New option: cmdLine will toggle so full command lines are used instead of just process names.

+ Added regular expression matching to process checks

New option: match=regexp (match=strings is the default and "old" way)

+ Added substring matching to process checks

New option: match=substr (match=strings is the default and "old" way)
This is *NOT* case blind so might be hard to use, plan to add case blindness to it in the future.

: Sample command: check_nt ... -v PROCSTATE -l cmdLine,match=regexp,.*exp.* -d SHOWALL

• Ohh yeah... it is 2008 this year... not 2007, fixed a few entries in the changelog :)
• BREAKING CHANGE! -- Removed TOOLHELPER API as PSAPI is simpler and toolhel is really only usefull on w9x (which I dont oficcaly support)

Files:

• changelog (modified) (2 diffs)
• include/EnumProcess.cpp (modified) (10 diffs)
• include/EnumProcess.h (modified) (7 diffs)
• include/error.hpp (modified) (1 diff)
• include/filter_framework.hpp (modified) (1 diff)
• modules/CheckSystem/CheckSystem.cpp (modified) (13 diffs)
• modules/LUAScript/script_wrapper.hpp (modified) (4 diffs)

changelog

@@ -6 +6 @@
  * "The message is blocked by User Interface Privilege Isolation, Administrative applications that need to see it can allow it through by calling ChangeWindowMessageFilter after making sure the necessary security precautions are in place. "
 
-2007-03-20
+2008-03-21
+ + Added command line support for process checks
+   New option: cmdLine will toggle so full command lines are used instead of just process names.
+ + Added regular expression matching to process checks
+   New option: match=regexp (match=strings is the default and "old" way)
+ + Added substring matching to process checks
+   New option: match=substr (match=strings is the default and "old" way)
+   This is *NOT* case blind so might be hard to use, plan to add case blindness to it in the future.
+ : Sample command: check_nt ... -v PROCSTATE -l cmdLine,match=regexp,.*exp.* -d SHOWALL
+ * Ohh yeah... it is 2008 this year... not 2007, fixed a few entries in the changelog :)
+ - BREAKING CHANGE! -- Removed TOOLHELPER API as PSAPI is simpler and toolhel is really only usefull on w9x (which I dont oficcaly support)
+
+2008-03-20
  + Added host-lookupos for NSCA server (#149)
  + Added option (cache_hostname=1|0) to cache the NSCA host name (Ie. only lookup once)
@@ -13 +25 @@
    Added option debug_skip_data_collection to simulate this (just for kicks)
 
-2007-03-18
+2008-03-18
  * Added some more error mesages to the NSCA module
  * Added support for srguments to LUA module.
    syntax: function debug (command, args) -- args is a table with all arguments
 
-2007-03-11 MickeM
+2008-03-11 MickeM
  ! 0.3.1 Released
 

include/EnumProcess.cpp

@@ -34 +34 @@
 {
   lpString = new TCHAR[MAX_FILENAME+1];
-  m_hProcessSnap = INVALID_HANDLE_VALUE;
-  m_hModuleSnap = INVALID_HANDLE_VALUE;
 
   PSAPI = ::LoadLibrary(_TEXT("PSAPI"));
@@ -55 +53 @@
   }
 
-  TOOLHELP = ::LoadLibrary(_TEXT("Kernel32"));
-  if (TOOLHELP)  
-  {
-    // Setup variables
-    m_pe.dwSize = sizeof(m_pe);
-    m_me.dwSize = sizeof(m_me);
-    // Find ToolHelp functions
-#ifdef UNICODE
-    FCreateToolhelp32Snapshot = (PFCreateToolhelp32Snapshot)::GetProcAddress(TOOLHELP, "CreateToolhelp32Snapshot");
-    FProcess32First = (PFProcess32First)::GetProcAddress(TOOLHELP, "Process32FirstW");
-    FProcess32Next = (PFProcess32Next)::GetProcAddress(TOOLHELP, "Process32NextW");
-    FModule32First = (PFModule32First)::GetProcAddress(TOOLHELP, "Module32FirstW");
-    FModule32Next = (PFModule32Next)::GetProcAddress(TOOLHELP, "Module32NextW");
-#else
-    FCreateToolhelp32Snapshot = (PFCreateToolhelp32Snapshot)::GetProcAddress(TOOLHELP, "CreateToolhelp32SnapshotA");
-    FProcess32First = (PFProcess32First)::GetProcAddress(TOOLHELP, "Process32FirstA");
-    FProcess32Next = (PFProcess32Next)::GetProcAddress(TOOLHELP, "Process32NextA");
-    FModule32First = (PFModule32First)::GetProcAddress(TOOLHELP, "Module32FirstA");
-    FModule32Next = (PFModule32Next)::GetProcAddress(TOOLHELP, "Module32NextA");
-#endif
-  }
-
   // Find the preferred method of enumeration
   m_method = ENUM_METHOD::NONE;
   int method = GetAvailableMethods();
   if (method == (method|ENUM_METHOD::PSAPI))    m_method = ENUM_METHOD::PSAPI;
-  if (method == (method|ENUM_METHOD::TOOLHELP)) m_method = ENUM_METHOD::TOOLHELP;
-  if (method == (method|ENUM_METHOD::PROC16))   m_method += ENUM_METHOD::PROC16;
 
 }
@@ -92 +66 @@
   if (m_pModules)   {delete[] m_pModules;}
   if (PSAPI) FreeLibrary(PSAPI);
-  if (TOOLHELP) FreeLibrary(TOOLHELP);
-  if (INVALID_HANDLE_VALUE != m_hProcessSnap) ::CloseHandle(m_hProcessSnap);
-  if (INVALID_HANDLE_VALUE != m_hModuleSnap)  ::CloseHandle(m_hModuleSnap);
-}
-
-
-
-int CEnumProcess::GetAvailableMethods()
-{
+}
+
+
+
+int CEnumProcess::GetAvailableMethods() {
   int res = 0;
   // Does all psapi functions exist?
   if (PSAPI&&FEnumProcesses&&FEnumProcessModules&&FGetModuleFileNameEx) 
     res += ENUM_METHOD::PSAPI;
-  // How about Toolhelp?
-  if (TOOLHELP&&FCreateToolhelp32Snapshot&&FProcess32Next&&FProcess32Next&&FModule32First&&FModule32Next) 
-    res += ENUM_METHOD::TOOLHELP;
-
   return res;
 }
 
-int CEnumProcess::SetMethod(int method)
-{
+int CEnumProcess::SetMethod(int method) {
   int avail = GetAvailableMethods();
-
-  if (method != ENUM_METHOD::PROC16 && avail == (method|avail)) 
+  if (avail == (method|avail)) 
     m_method = method;
-
   return m_method;
 }
@@ -131 +94 @@
 BOOL CEnumProcess::GetProcessFirst(CEnumProcess::CProcessEntry *pEntry)
 {
-  if (ENUM_METHOD::NONE == m_method) return FALSE; 
-
-  if ((ENUM_METHOD::TOOLHELP|m_method) == m_method)
-    // Use ToolHelp functions
-    // ----------------------
-  {
-    m_hProcessSnap = FCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
-    if (INVALID_HANDLE_VALUE == m_hProcessSnap) return FALSE;
-    if (!FProcess32First(m_hProcessSnap, &m_pe)) return FALSE;
-    pEntry->dwPID = m_pe.th32ProcessID;
-    pEntry->sFilename, m_pe.szExeFile;
-  }
-  else
+  if (ENUM_METHOD::NONE == m_method) {
+    return FALSE; 
+  } else if ((ENUM_METHOD::PSAPI|m_method) == m_method) {
     // Use PSAPI functions
     // ----------------------
-  {
     if (m_pProcesses) {delete[] m_pProcesses;}
     m_pProcesses = new DWORD[m_MAX_COUNT];
@@ -163 +115 @@
     m_cProcesses = cbNeeded/sizeof(DWORD); 
     return FillPStructPSAPI(*m_pProcesses, pEntry);
-  }
-
+  } else {
+    return FALSE;
+  }
   return TRUE;
 }
@@ -173 +126 @@
 {
   if (ENUM_METHOD::NONE == m_method) return FALSE; 
-  pEntry->hTask16 = 0;
-
 
   // Use ToolHelp functions
   // ----------------------
-  if ((ENUM_METHOD::TOOLHELP|m_method) == m_method)
-  {
-    if (!FProcess32Next(m_hProcessSnap, &m_pe)) return FALSE;
-    pEntry->dwPID = m_pe.th32ProcessID;
-    pEntry->sFilename = m_pe.szExeFile;
-  }
-  else
+  if ((ENUM_METHOD::PSAPI|m_method) == m_method) {
     // Use PSAPI functions
     // ----------------------
-  {
     if (--m_cProcesses <= 0) return FALSE;
     FillPStructPSAPI(*++m_pCurrentP, pEntry);
-  }
-
+  } else {
+    return FALSE;
+  }
   return TRUE;
 }
@@ -199 +144 @@
 {
   if (ENUM_METHOD::NONE == m_method) return FALSE; 
-  // Use ToolHelp functions
-  // ----------------------
-  if ((ENUM_METHOD::TOOLHELP|m_method) == m_method)
-  {
-    if (INVALID_HANDLE_VALUE != m_hModuleSnap)  ::CloseHandle(m_hModuleSnap);
-    m_hModuleSnap = FCreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
-
-    if(!FModule32First(m_hModuleSnap, &m_me)) return FALSE;
-
-    pEntry->pLoadBase = m_me.modBaseAddr;
-    pEntry->sFilename = m_me.szExePath;
-    pEntry->pPreferredBase = GetModulePreferredBase(dwPID, m_me.modBaseAddr);
-    return TRUE;
-  }
-  else
+  if ((ENUM_METHOD::PSAPI|m_method) == m_method) {
     // Use PSAPI functions
     // ----------------------
-  {
     if (m_pModules) {delete[] m_pModules;}
     m_pModules = new HMODULE[m_MAX_COUNT];
@@ -240 +170 @@
     }
     return FALSE;
+  } else {
+    return FALSE;
   }
 }
@@ -247 +179 @@
 {
   if (ENUM_METHOD::NONE == m_method) return FALSE; 
-
-  // Use ToolHelp functions
-  // ----------------------
-  if ((ENUM_METHOD::TOOLHELP|m_method) == m_method)
-  {
-    if(!FModule32Next(m_hModuleSnap, &m_me)) return FALSE;
-
-    pEntry->pLoadBase = m_me.modBaseAddr;
-    pEntry->sFilename = m_me.szExePath;
-    pEntry->pPreferredBase = GetModulePreferredBase(dwPID, m_me.modBaseAddr);
-    return TRUE;
-  }
-  else
+  if ((ENUM_METHOD::PSAPI|m_method) == m_method) {
     // Use PSAPI functions
     // ----------------------
-  {
     if (--m_cModules <= 0) return FALSE;
     return FillMStructPSAPI(dwPID, *++m_pCurrentM, pEntry);
-  }
-
-}
-
+  } else {
+    return FALSE;
+  }
+
+}
+
+
+BOOL CEnumProcess::EnableTokenPrivilege (LPTSTR privilege)
+{
+  HANDLE hToken;                        
+  TOKEN_PRIVILEGES token_privileges;                  
+  DWORD dwSize;                        
+  ZeroMemory (&token_privileges, sizeof (token_privileges));
+  token_privileges.PrivilegeCount = 1;
+  if ( !OpenProcessToken (GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
+    return FALSE;
+  if (!LookupPrivilegeValue ( NULL, privilege, &token_privileges.Privileges[0].Luid))
+  { 
+    CloseHandle (hToken);
+    return FALSE;
+  }
+
+  token_privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+  if (!AdjustTokenPrivileges ( hToken, FALSE, &token_privileges, 0, NULL, &dwSize))
+  { 
+    CloseHandle (hToken);
+    return FALSE;
+  }
+  CloseHandle (hToken);
+  return TRUE;
+}
+
+// Process data block is found in an NT machine.
+// on an Intel system at 0x00020000  which is the 32
+// memory page. At offset 0x0498 is what I believe to be
+// the process' startup directory which is followed by
+// the system's PATH. Next is  process full command
+// followed by the exe name.
+#define PROCESS_DATA_BLOCK_ADDRESS      (LPVOID)0x00020498
+// align pointer
+#define ALIGNMENT(x) ( (x & 0xFFFFFFFC) ? (x & 0xFFFFFFFC) + sizeof(DWORD) : x )
+
+std::wstring CEnumProcess::GetCommandLine(HANDLE hProcess)
+{
+  SYSTEM_INFO sysinfo;
+  GetSystemInfo (&sysinfo);
+
+  MEMORY_BASIC_INFORMATION mbi;
+  if (VirtualQueryEx (hProcess, PROCESS_DATA_BLOCK_ADDRESS, &mbi, sizeof(mbi) ) == 0)
+    throw EnumProcException(_T("VirtualQueryEx failed"), GetLastError());
+  LPBYTE lpBuffer = (LPBYTE)malloc (sysinfo.dwPageSize);
+  if (lpBuffer == NULL)
+    throw EnumProcException(_T("Failed to allocate buffer"));
+  DWORD dwBytesRead;
+  if (!ReadProcessMemory( hProcess, mbi.BaseAddress, (LPVOID)lpBuffer, sysinfo.dwPageSize, &dwBytesRead)) {
+    free(lpBuffer);
+    throw EnumProcException(_T("ReadProcessMemory failed"), GetLastError());
+  }
+  LPBYTE lpPos = lpPos = lpBuffer + ((DWORD)PROCESS_DATA_BLOCK_ADDRESS - (DWORD)mbi.BaseAddress);
+
+  // Skip programs current directory and path
+  lpPos += (wcslen((LPWSTR)lpPos) + 1) * sizeof(WCHAR);
+
+  // Aligned on a DWORD boundary skip it, and copy the next string into
+  // buffer and null terminate it.
+  lpPos = (LPBYTE)ALIGNMENT((DWORD)lpPos);
+  lpPos += (wcslen((LPWSTR)lpPos) + 1) * sizeof(WCHAR);
+
+  // Sometimes there is an extra \0 here
+  /*
+  if ( *lpPos == '\0' ) 
+    lpPos += sizeof(WCHAR);
+  */
+
+  DWORD nStrLength = (wcslen((LPWSTR)lpPos) + 1) * sizeof(WCHAR);
+  WCHAR *buffer = new TCHAR[nStrLength+2];
+  buffer[0] = L'\0';
+  if(nStrLength > sizeof(WCHAR)) {
+    wcsncpy(buffer, (LPWSTR)lpPos, nStrLength);
+    buffer[nStrLength] = L'\0';
+  }
+  free(lpBuffer);
+  std::wstring ret = buffer;
+  delete [] buffer;
+  return ret;
+}
 
 
@@ -274 +275 @@
 {
   pEntry->dwPID = dwPID;
-
   // Open process to get filename
-  HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID);
-  if (hProc)
-  {
-    HMODULE hMod;
-    DWORD size;
-    // Get the first module (the process itself)
-    if( FEnumProcessModules(hProc, &hMod, sizeof(hMod), &size) )
-    {
-      //Get filename
-
-      if( !FGetModuleFileNameEx( hProc, hMod, lpString, MAX_FILENAME) ) { 
-        pEntry->sFilename = _T("N/A (error)");
-      } else {
-        std::wstring path = lpString;
-        std::wstring::size_type pos = path.find_last_of(_T("\\"));
-        if (pos != std::wstring::npos) {
-          path = path.substr(++pos);
-        }
-        pEntry->sFilename = path;
+  bool bCmdLine = pEntry->getCommandLine();
+  DWORD openArgs = PROCESS_QUERY_INFORMATION|PROCESS_VM_READ;
+  if (bCmdLine)
+    openArgs |= PROCESS_VM_OPERATION;
+  HANDLE hProc = OpenProcess(openArgs, FALSE, dwPID);
+  if (!hProc) {
+    pEntry->filename = _T("N/A (security restriction)");
+    return TRUE;
+  }
+  if (bCmdLine) {
+    try {
+      pEntry->command_line = GetCommandLine(hProc);
+    } catch (EnumProcException &e) {
+      pEntry->command_line = _T("ERROR: " + e.getMessage(););
+    } catch (...) {
+      pEntry->command_line = _T("ERROR: Failed to get CommandLine.");
+    }
+  }
+  HMODULE hMod;
+  DWORD size;
+  // Get the first module (the process itself)
+  if( FEnumProcessModules(hProc, &hMod, sizeof(hMod), &size) ) {
+    //Get filename
+    //GetModuleFileNameEx
+
+    if( !FGetModuleFileNameEx( hProc, hMod, lpString, MAX_FILENAME) ) { 
+      pEntry->filename = _T("N/A (error)");
+    } else {
+      std::wstring path = lpString;
+      std::wstring::size_type pos = path.find_last_of(_T("\\"));
+      if (pos != std::wstring::npos) {
+        path = path.substr(++pos);
       }
-    }
-    CloseHandle(hProc);
-  }
-  else
-    pEntry->sFilename = _T("N/A (security restriction)");
-
-  return TRUE;
+      pEntry->filename = path;
+    }
+  }
+  CloseHandle(hProc);
 }
 

include/EnumProcess.h

@@ -22 +22 @@
 
 #include <psapi.h>
-#include <tlhelp32.h>
 #include <string>
+#include <error.hpp>
 
 
@@ -30 +30 @@
   const int NONE    = 0x0;
   const int PSAPI   = 0x1;
-  const int TOOLHELP= 0x2;
-  const int PROC16  = 0x4;
 } 
 
@@ -41 +39 @@
 typedef BOOL (WINAPI *PFEnumProcessModules)(HANDLE hProcess, HMODULE * lphModule, DWORD cb, LPDWORD lpcbNeeded);
 typedef DWORD (WINAPI *PFGetModuleFileNameEx)(HANDLE hProcess, HMODULE hModule, LPTSTR lpFilename, DWORD nSize);
-
-//Functions loaded from Kernel32
-typedef HANDLE (WINAPI *PFCreateToolhelp32Snapshot)(DWORD dwFlags, DWORD th32ProcessID);
-typedef BOOL (WINAPI *PFProcess32First)(HANDLE hSnapshot, LPPROCESSENTRY32W lppe);
-typedef BOOL (WINAPI *PFProcess32Next)(HANDLE hSnapshot, LPPROCESSENTRY32W lppe);
-typedef BOOL (WINAPI *PFModule32First)(HANDLE hSnapshot, LPMODULEENTRY32W lpme);
-typedef BOOL (WINAPI *PFModule32Next)(HANDLE hSnapshot, LPMODULEENTRY32W lpme);
 #else
 // Functions loaded from PSAPI
@@ -53 +44 @@
 typedef BOOL (WINAPI *PFEnumProcessModules)(HANDLE hProcess, HMODULE * lphModule, DWORD cb, LPDWORD lpcbNeeded);
 typedef DWORD (WINAPI *PFGetModuleFileNameEx)(HANDLE hProcess, HMODULE hModule, LPTSTR lpFilename, DWORD nSize);
-
-//Functions loaded from Kernel32
-typedef HANDLE (WINAPI *PFCreateToolhelp32Snapshot)(DWORD dwFlags, DWORD th32ProcessID);
-typedef BOOL (WINAPI *PFProcess32First)(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
-typedef BOOL (WINAPI *PFProcess32Next)(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
-typedef BOOL (WINAPI *PFModule32First)(HANDLE hSnapshot, LPMODULEENTRY32 lpme);
-typedef BOOL (WINAPI *PFModule32Next)(HANDLE hSnapshot, LPMODULEENTRY32 lpme);
 #endif
 
@@ -66 +50 @@
 public:
 
+  class EnumProcException {
+    std::wstring error_;
+  public:
+    EnumProcException(std::wstring error) : error_(error) {}
+    EnumProcException(std::wstring error, DWORD code) : error_(error) {
+      error_ += _T(":" ) + error::format::from_system(code);
+    }
+    std::wstring getMessage() const {
+      return error_;
+    }
+  };
+
   struct CProcessEntry
   {
-    std::wstring sFilename;
+    static const int fill_filename = 0x1;
+    static const int fill_command_line = 0x2;
+    DWORD fill;
+    std::wstring filename;
+    std::wstring command_line;
     DWORD  dwPID;
-    WORD   hTask16;
-    // Constructors/Destructors
-    CProcessEntry() : dwPID(0), hTask16(0) {}
-    CProcessEntry(CProcessEntry &e) : dwPID(e.dwPID), hTask16(e.hTask16), sFilename(e.sFilename) {}
+    // Constructors/Destructor
+    CProcessEntry() : dwPID(0), fill(0) {}
+    CProcessEntry(DWORD toFill) : dwPID(0), fill(toFill) {}
+    CProcessEntry(const CProcessEntry &e) : dwPID(e.dwPID), fill(e.fill), filename(e.filename), command_line(e.command_line) {}
     virtual ~CProcessEntry() {}
+    bool getCommandLine() const { return fill&fill_command_line!=0; }
+    bool getFilename() const { return fill&fill_filename!=0; }
   };
 
@@ -95 +97 @@
   BOOL GetProcessNext(CProcessEntry *pEntry);    
   BOOL GetProcessFirst(CProcessEntry* pEntry);
+  BOOL EnableTokenPrivilege(LPTSTR privilege);
+  std::wstring GetCommandLine(HANDLE hProcess);
 
   int GetAvailableMethods();
@@ -120 +124 @@
   BOOL FillPStructPSAPI(DWORD pid, CProcessEntry* pEntry);
   BOOL FillMStructPSAPI(DWORD dwPID, HMODULE mMod, CModuleEntry* pEntry);
-
-  // ToolHelp related members
-  HANDLE m_hProcessSnap, m_hModuleSnap;
-  HMODULE TOOLHELP;   //Handle to the module (Kernel32)
-#ifdef UNICODE
-  PROCESSENTRY32W m_pe;
-  MODULEENTRY32W  m_me;
-#else
-  PROCESSENTRY32 m_pe;
-  MODULEENTRY32  m_me;
-#endif
-  // ToolHelp related functions
-  PFCreateToolhelp32Snapshot FCreateToolhelp32Snapshot;
-  PFProcess32First FProcess32First;
-  PFProcess32Next  FProcess32Next;
-  PFModule32First  FModule32First;
-  PFModule32Next   FModule32Next;   
   LPTSTR lpString;
-
 };
 

include/error.hpp

@@ -3 +3 @@
 #include <string>
 #include <windows.h>
+#include <strEx.h>
 
 namespace error {

include/filter_framework.hpp

@@ -126 +126 @@
         } catch (const boost::bad_expression e) {
           throw handler_exception(_T("Invalid syntax in regular expression:") + str);
+        } catch (...) {
+          throw handler_exception(_T("Invalid syntax in regular expression:") + str);
         }
       }

modules/CheckSystem/CheckSystem.cpp

@@ -30 +30 @@
 #include <set>
 #include <sysinfo.h>
+#ifndef NO_BOOST_DEP
+#include <boost/regex.hpp>
+#endif
 
 CheckSystem gCheckSystem;
@@ -68 +71 @@
   if (wantedMethod == C_SYSTEM_ENUMPROC_METHOD_AUTO) {
     OSVERSIONINFO osVer = systemInfo::getOSVersion();
+    /*
     if (systemInfo::isBelowNT4(osVer)) {
       NSC_DEBUG_MSG_STD(_T("Autodetected NT4<, using PSAPI process enumeration."));
@@ -84 +88 @@
       }
     } else {
+    */
       NSC_DEBUG_MSG_STD(_T("Autodetected failed, using PSAPI process enumeration."));
       processMethod_ = ENUM_METHOD::PSAPI;
@@ -92 +97 @@
         NSC_LOG_ERROR_STD(_T("Try this URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=3d1fbaed-d122-45cf-9d46-1cae384097ac"));
       }
-    }
+    //}
   } else if (wantedMethod == C_SYSTEM_ENUMPROC_METHOD_PSAPI) {
     NSC_DEBUG_MSG_STD(_T("Using PSAPI method."));
@@ -101 +106 @@
     }
   } else {
-    NSC_DEBUG_MSG_STD(_T("Using TOOLHELP method."));
-    if (method == (method|ENUM_METHOD::TOOLHELP)) {
-      processMethod_ = ENUM_METHOD::TOOLHELP;
-    } else {
-      NSC_LOG_ERROR_STD(_T("TOOLHELP method not avalible, check ") C_SYSTEM_ENUMPROC_METHOD _T(" option."));
-    }
+    NSC_LOG_ERROR_STD(_T("TOOLHELP method has been removed sine we dont really want to support w9x ") C_SYSTEM_ENUMPROC_METHOD _T("."));
   }
   try {
@@ -751 +751 @@
 }
 typedef struct NSPROCDATA__ {
-  NSPROCDATA__() : count(0) {}
-  NSPROCDATA__(const NSPROCDATA__ &other) {
-    count = other.count;
-    entry = other.entry;
-  }
-
   unsigned int count;
   CEnumProcess::CProcessEntry entry;
+  std::wstring key;
+
+  NSPROCDATA__() : count(0) {}
+  NSPROCDATA__(const NSPROCDATA__ &other) : count(other.count), entry(other.entry), key(other.key) {}
 } NSPROCDATA;
 typedef std::map<std::wstring,NSPROCDATA,strEx::case_blind_string_compare> NSPROCLST;
@@ -765 +763 @@
 * @return a hash_map with all running processes
 */
-NSPROCLST GetProcessList(int processMethod)
+NSPROCLST GetProcessList(int processMethod, bool getCmdLines)
 {
   NSPROCLST ret;
@@ -777 +775 @@
     return ret;
   }
-  CEnumProcess::CProcessEntry entry;
+  int toFill = CEnumProcess::CProcessEntry::fill_filename;
+  if (getCmdLines)
+    toFill |= CEnumProcess::CProcessEntry::fill_command_line;
+  CEnumProcess::CProcessEntry entry(toFill);
   for (BOOL OK = enumeration.GetProcessFirst(&entry); OK; OK = enumeration.GetProcessNext(&entry) ) {
-    NSPROCLST::iterator it = ret.find(entry.sFilename);
+    std::wstring key;
+    if (getCmdLines)
+      key = entry.command_line;
+    else
+      key = entry.filename;
+    NSPROCLST::iterator it = ret.find(key);
     if (it == ret.end()) {
-      ret[entry.sFilename].entry = entry;
-      ret[entry.sFilename].count = 1;
+      ret[key].entry = entry;
+      ret[key].count = 1;
+      ret[key].key = key;
     } else
       (*it).second.count++;
@@ -812 +819 @@
   StateConatiner tmpObject;
   bool bPerfData = true;
+  bool useCmdLine = false;
+  typedef enum {
+    match_string, match_substring, match_regexp
+  } match_type;
+  match_type match = match_string;
+
+  
 
   tmpObject.data = _T("uptime");
@@ -822 +836 @@
     MAP_OPTIONS_BOOL_FALSE(IGNORE_PERFDATA, bPerfData)
     MAP_OPTIONS_BOOL_TRUE(NSCLIENT, bNSClient)
+    MAP_OPTIONS_BOOL_TRUE(_T("cmdLine"), useCmdLine)
+    MAP_OPTIONS_MODE(_T("match"), _T("string"), match,  match_string)
+    MAP_OPTIONS_MODE(_T("match"), _T("regexp"), match,  match_regexp)
+    MAP_OPTIONS_MODE(_T("match"), _T("substr"), match,  match_substring)
+    MAP_OPTIONS_MODE(_T("match"), _T("substring"), match,  match_substring)
     MAP_OPTIONS_SECONDARY_BEGIN(_T(":"), p2)
   else if (p2.first == _T("Proc")) {
@@ -840 +859 @@
   MAP_OPTIONS_END()
 
-
   NSPROCLST runningProcs;
   try {
-    runningProcs = GetProcessList(processMethod_);
+    runningProcs = GetProcessList(processMethod_, useCmdLine);
   } catch (TCHAR *c) {
     NSC_LOG_ERROR_STD(_T("ERROR: ") + c);
@@ -851 +869 @@
 
   for (std::list<StateConatiner>::iterator it = list.begin(); it != list.end(); ++it) {
-    NSPROCLST::iterator proc = runningProcs.find((*it).data);
+    NSPROCLST::iterator proc;
+    if (match == match_string) {
+      proc = runningProcs.find((*it).data);
+    } else if (match == match_substring) {
+      for (proc=runningProcs.begin();proc!=runningProcs.end();++proc) {
+        if ((*proc).first.find((*it).data) != std::wstring::npos)
+          break;
+      }
+#ifndef NO_BOOST_DEP
+    } else if (match == match_regexp) {
+      try {
+        boost::wregex filter((*it).data,boost::regex::icase);
+        for (proc=runningProcs.begin();proc!=runningProcs.end();++proc) {
+          std::wstring value = (*proc).first;
+          if (boost::regex_match(value, filter))
+            break;
+        }
+      } catch (const boost::bad_expression e) {
+        NSC_LOG_ERROR_STD(_T("Failed to compile regular expression: ") + (*proc).first);
+        msg = _T("Failed to compile regular expression: ") + (*proc).first;
+        return NSCAPI::returnUNKNOWN;
+      } catch (...) {
+        NSC_LOG_ERROR_STD(_T("Failed to compile regular expression: ") + (*proc).first);
+        msg = _T("Failed to compile regular expression: ") + (*proc).first;
+        return NSCAPI::returnUNKNOWN;
+      }
+#endif
+    } else {
+      NSC_LOG_ERROR_STD(_T("Unsupported mode for: ") + (*proc).first);
+      msg = _T("Unsupported mode for: ") + (*proc).first;
+      return NSCAPI::returnUNKNOWN;
+    }
     bool bFound = (proc != runningProcs.end());
-    std::wstring tmp;
-    TNtServiceInfo info;
     if (bNSClient) {
       if (bFound && (*it).showAll()) {
         if (!msg.empty()) msg += _T(" - ");
-        msg += (*it).data + _T(": Running");
+        msg += (*proc).first + _T(": Running");
       } else if (bFound) {
       } else {
@@ -873 +920 @@
         value.count = 0;
         value.state = checkHolders::state_stopped;
+      }
+      if (bFound && (*it).alias.empty()) {
+        (*it).alias = (*proc).first;
       }
       (*it).perfData = bPerfData;

modules/LUAScript/script_wrapper.hpp

@@ -45 +45 @@
     return strEx::string_to_wstring(s);
   }
-
-
-
-
-  class Account {
-    lua_Number m_balance;
-  public:
-    static const char className[];
-    static Luna<Account>::RegType methods[];
-
-    Account(lua_State *L)      { m_balance = luaL_checknumber(L, 1); }
-    int inject(lua_State *L) {
-      m_balance += luaL_checknumber(L, 1); return 0; 
-    }
-    int withdraw(lua_State *L) { m_balance -= luaL_checknumber(L, 1); return 0; }
-    int balance (lua_State *L) { lua_pushnumber(L, m_balance); return 1; }
-    ~Account() { printf("deleted Account (%p)\n", this); }
-  };
-
-  const char Account::className[] = "Account";
-
-  #define method(class, name) {#name, &class::name}
-
-  Luna<Account>::RegType Account::methods[] = {
-    method(Account, inject),
-    method(Account, withdraw),
-    method(Account, balance),
-    {0,0}
-  };
+  typedef std::pair<std::wstring,int> where_type;
+  where_type where(lua_State *L, int level = 1) {
+    lua_Debug ar;
+    if (lua_getstack(L, level, &ar)) {  /* check function at level */
+      lua_getinfo(L, "Sl", &ar);  /* get info about it */
+      if (ar.currentline > 0) {  /* is there info? */
+        return where_type(s2w(ar.short_src), ar.currentline);
+      }
+    }
+    return where_type(_T("unknown"),0);
+  }
   std::wstring extract_string(lua_State *L) {
     return strEx::string_to_wstring(lua_tostring( L, lua_gettop( L ) ));
@@ -120 +102 @@
     lua_pushstring(L, strEx::wstring_to_string(_T("unknown")).c_str());
   }
-
-  static int inject(lua_State *L) {
-    int nargs = lua_gettop( L );
-    unsigned int argLen = nargs-1;
-    arrayBuffer::arrayBuffer arguments = arrayBuffer::createArrayBuffer(argLen);
-    for (unsigned int i=argLen;i>0;i--) {
-      std::wstring arg = extract_string(L);
-      arrayBuffer::set(arguments, argLen, i-1, arg);
-      lua_pop(L, 1);
-    }
-    std::wstring command = extract_string(L);
-    lua_pop(L, 1);
-
-    std::wstring msg;
-    std::wstring perf;
-    NSCAPI::nagiosReturn ret = NSCModuleHelper::InjectCommand(command.c_str(), argLen, arguments, msg, perf);
-    push_code(L, ret);
-    lua_pushstring(L, strEx::wstring_to_string(msg).c_str());
-    lua_pushstring(L, strEx::wstring_to_string(perf).c_str());
-    return 3;
+  void push_string(lua_State *L, std::wstring s) {
+    lua_pushstring(L, strEx::wstring_to_string(s).c_str());
   }
 
@@ -198 +162 @@
 
   };
+  class nsclient_wrapper {
+  public:
+
+    static int execute (lua_State *L) {
+      try {
+        int nargs = lua_gettop( L );
+        if (nargs == 0) {
+          return luaL_error(L, "nscp.execute requires atleast 1 argument!");
+        }
+        unsigned int argLen = nargs-1;
+        arrayBuffer::arrayBuffer arguments = arrayBuffer::createArrayBuffer(argLen);
+        for (unsigned int i=argLen;i>0;i--) {
+          std::wstring arg = extract_string(L);
+          arrayBuffer::set(arguments, argLen, i-1, arg);
+          lua_pop(L, 1);
+        }
+        std::wstring command = extract_string(L);
+        lua_pop(L, 1);
+        std::wstring msg;
+        std::wstring perf;
+        NSCAPI::nagiosReturn ret = NSCModuleHelper::InjectCommand(command.c_str(), argLen, arguments, msg, perf);
+        push_code(L, ret);
+        lua_pushstring(L, strEx::wstring_to_string(msg).c_str());
+        lua_pushstring(L, strEx::wstring_to_string(perf).c_str());
+        return 3;
+      } catch (...) {
+        return luaL_error(L, "Unknown exception in: nscp.execute");
+      }
+    }
+
+    static int register_command(lua_State *L) {
+      try {
+        lua_handler *handler = lua_manager::get_handler(L);
+        lua_script *script = lua_manager::get_script(L);
+        int nargs = lua_gettop( L );
+        if (nargs != 2)
+          return luaL_error(L, "Incorrect syntax: nscp.register(<key>, <function>);");
+        handler->register_command(script, pop_string(L), pop_string(L));
+        return 0;
+      } catch (LUAException e) {
+        return luaL_error(L, std::string("Error in nscp.register: " + w2s(e.getMessage())).c_str());
+      } catch (...) {
+        return luaL_error(L, "Unknown exception in: nscp.register");
+      }
+    }
+
+    static int getSetting (lua_State *L) {
+      int nargs = lua_gettop( L );
+      if (nargs < 2 || nargs > 3)
+        return luaL_error(L, "Incorrect syntax: nscp.getSetting(<section>, <key>[, <default value>]);");
+      std::wstring v;
+      if (nargs > 2)
+        v = pop_string(L);
+      std::wstring k = pop_string(L);
+      std::wstring s = pop_string(L);
+      push_string(L, NSCModuleHelper::getSettingsString(s, k, v));
+      return 1;
+    }
+    static int getSection (lua_State *L) {
+      NSC_DEBUG_MSG_STD(_T("LUA::setSettings"));
+      return 0;
+    }
+    static int info (lua_State *L) {
+      return log_any(L, NSCAPI::log);
+    }
+    static int error (lua_State *L) {
+      return log_any(L, NSCAPI::error);
+    }
+    static int log_any(lua_State *L, int mode) {
+      where_type w = where(L);
+      int nargs = lua_gettop( L );
+      std::wstring str;
+      for (int i=0;i<nargs;i++) {
+        str += pop_string(L);
+      }
+      NSCModuleHelper::Message(mode, w.first, w.second, str);
+      return 0;
+    }
+
+    static const luaL_Reg my_funcs[];
+
+    static int luaopen(lua_State *L) {
+      luaL_register(L, "nscp", my_funcs);
+      return 1;
+    }
+
+
+  };
+  const luaL_Reg nsclient_wrapper::my_funcs[] = {
+    {"execute", execute},
+    {"info", info},
+    {"print", info},
+    {"error", error},
+    {"register", register_command},
+    {"getSetting", getSetting},
+    {"getSection", getSection},
+    {NULL, NULL}
+  };
+
   lua_manager::handler_type lua_manager::handlers;
   lua_manager::script_type lua_manager::scripts;
   double lua_manager::last_value = 0;
   char lua_manager::handler_key[] = "registry.key.handler";
-  char lua_manager::script_key[] = "registry.key.sctrip";
-
-  static int register_command(lua_State *L) {
-    try {
-      lua_handler *handler = lua_manager::get_handler(L);
-      lua_script *script = lua_manager::get_script(L);
-      int nargs = lua_gettop( L );
-      if (nargs < 2) {
-        return luaL_error(L, "Missing argument for register_command! usage: register_command(<key>, <function>);");
-      }
-      if (nargs > 2) {
-        return luaL_error(L, "To many arguments for register_command! usage: register_command(<key>, <function>);");
-      }
-      handler->register_command(script, pop_string(L), pop_string(L));
-      return 0;
-    } catch (LUAException e) {
-      return luaL_error(L, std::string("Error: " + w2s(e.getMessage())).c_str());
-    } catch (...) {
-      return luaL_error(L, "Unknown exception in: register_command");
-    }
-  }
+  char lua_manager::script_key[] = "registry.key.script";
+
   class lua_script {
     Lua_State L;
@@ -232 +276 @@
     void load() {
       luaL_openlibs(L);
+      nsclient_wrapper::luaopen(L);
       //Luna<Account>::Register(L);
-      lua_register(L, "inject", inject);
-      lua_register(L, "register_command", register_command);
+      //lua_register(L, "register_command", register_command);
 
       if (luaL_loadfile(L, strEx::wstring_to_string(script_).c_str()) != 0) {