/** * Sets up a graphing information structure with information * from a graph buffer management structure. * * \param Buffers The buffer management structure. * \param DrawInfo The graphing information structure. * \param DataCount The number of data points currently required. * The buffers are resized if needed. */ VOID PhGetDrawInfoGraphBuffers( __inout PPH_GRAPH_BUFFERS Buffers, __inout PPH_GRAPH_DRAW_INFO DrawInfo, __in ULONG DataCount ) { DrawInfo->LineDataCount = min(DataCount, PH_GRAPH_DATA_COUNT(DrawInfo->Width, DrawInfo->Step)); // Do we need to allocate or re-allocate the data buffers? if (Buffers->AllocatedCount < DrawInfo->LineDataCount) { if (Buffers->Data1) PhFree(Buffers->Data1); if ((DrawInfo->Flags & PH_GRAPH_USE_LINE_2) && Buffers->Data2) PhFree(Buffers->Data2); Buffers->AllocatedCount *= 2; if (Buffers->AllocatedCount < DrawInfo->LineDataCount) Buffers->AllocatedCount = DrawInfo->LineDataCount; Buffers->Data1 = PhAllocate(Buffers->AllocatedCount * sizeof(FLOAT)); if (DrawInfo->Flags & PH_GRAPH_USE_LINE_2) { Buffers->Data2 = PhAllocate(Buffers->AllocatedCount * sizeof(FLOAT)); } Buffers->Valid = FALSE; } DrawInfo->LineData1 = Buffers->Data1; DrawInfo->LineData2 = Buffers->Data2; }
NTSTATUS PhpGetObjectName( __in HANDLE ProcessHandle, __in HANDLE Handle, __out PPH_STRING *ObjectName ) { NTSTATUS status; POBJECT_NAME_INFORMATION buffer; ULONG bufferSize; ULONG attempts = 8; bufferSize = 0x200; buffer = PhAllocate(bufferSize); // A loop is needed because the I/O subsystem likes to give us the wrong return lengths... do { if (KphIsConnected()) { status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectNameInformation, buffer, bufferSize, &bufferSize ); } else { status = NtQueryObject( Handle, ObjectNameInformation, buffer, bufferSize, &bufferSize ); } if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_INFO_LENGTH_MISMATCH || status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); buffer = PhAllocate(bufferSize); } else { break; } } while (--attempts); if (NT_SUCCESS(status)) { *ObjectName = PhCreateStringEx(buffer->Name.Buffer, buffer->Name.Length); } PhFree(buffer); return status; }
VOID AddNetworkAdapterToListView( _In_ PDV_NETADAPTER_CONTEXT Context, _In_ BOOLEAN AdapterPresent, _In_ IF_INDEX IfIndex, _In_ IF_LUID Luid, _In_ PPH_STRING Guid, _In_ PPH_STRING Description ) { DV_NETADAPTER_ID adapterId; INT lvItemIndex; BOOLEAN found = FALSE; PDV_NETADAPTER_ID newId = NULL; InitializeNetAdapterId(&adapterId, IfIndex, Luid, Guid); for (ULONG i = 0; i < NetworkAdaptersList->Count; i++) { PDV_NETADAPTER_ENTRY entry = PhReferenceObjectSafe(NetworkAdaptersList->Items[i]); if (!entry) continue; if (EquivalentNetAdapterId(&entry->AdapterId, &adapterId)) { newId = PhAllocate(sizeof(DV_NETADAPTER_ID)); CopyNetAdapterId(newId, &entry->AdapterId); if (entry->UserReference) found = TRUE; } PhDereferenceObjectDeferDelete(entry); if (newId) break; } if (!newId) { newId = PhAllocate(sizeof(DV_NETADAPTER_ID)); CopyNetAdapterId(newId, &adapterId); PhMoveReference(&newId->InterfaceGuid, Guid); } lvItemIndex = PhAddListViewGroupItem( Context->ListViewHandle, AdapterPresent ? 0 : 1, MAXINT, Description->Buffer, newId ); if (found) ListView_SetCheckState(Context->ListViewHandle, lvItemIndex, TRUE); DeleteNetAdapterId(&adapterId); }
VOID AddDiskDriveToListView( _In_ PDV_DISK_OPTIONS_CONTEXT Context, _In_ BOOLEAN DiskPresent, _In_ PPH_STRING DiskPath, _In_ PPH_STRING DiskName ) { DV_DISK_ID adapterId; INT lvItemIndex; BOOLEAN found = FALSE; PDV_DISK_ID newId = NULL; InitializeDiskId(&adapterId, DiskPath); for (ULONG i = 0; i < DiskDrivesList->Count; i++) { PDV_DISK_ENTRY entry = PhReferenceObjectSafe(DiskDrivesList->Items[i]); if (!entry) continue; if (EquivalentDiskId(&entry->Id, &adapterId)) { newId = PhAllocate(sizeof(DV_DISK_ID)); CopyDiskId(newId, &entry->Id); if (entry->UserReference) found = TRUE; } PhDereferenceObjectDeferDelete(entry); if (newId) break; } if (!newId) { newId = PhAllocate(sizeof(DV_DISK_ID)); CopyDiskId(newId, &adapterId); PhMoveReference(&newId->DevicePath, DiskPath); } lvItemIndex = AddListViewItemGroupId( Context->ListViewHandle, DiskPresent ? 0 : 1, MAXINT, DiskName->Buffer, newId ); if (found) ListView_SetItemState(Context->ListViewHandle, lvItemIndex, ITEM_CHECKED, LVIS_STATEIMAGEMASK); DeleteDiskId(&adapterId); }
LPENUM_SERVICE_STATUS EsEnumDependentServices( __in SC_HANDLE ServiceHandle, __in_opt ULONG State, __out PULONG Count ) { LOGICAL result; PVOID buffer; ULONG bufferSize; ULONG returnLength; ULONG servicesReturned; if (!State) State = SERVICE_STATE_ALL; bufferSize = 0x800; buffer = PhAllocate(bufferSize); if (!(result = EnumDependentServices( ServiceHandle, State, buffer, bufferSize, &returnLength, &servicesReturned ))) { if (GetLastError() == ERROR_MORE_DATA) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(bufferSize); result = EnumDependentServices( ServiceHandle, State, buffer, bufferSize, &returnLength, &servicesReturned ); } if (!result) { PhFree(buffer); return NULL; } } *Count = servicesReturned; return buffer; }
static VOID AddNetworkAdapterToListView( _In_ PDV_NETADAPTER_CONTEXT Context, _In_ PIP_ADAPTER_ADDRESSES Adapter ) { DV_NETADAPTER_ID adapterId; INT lvItemIndex; BOOLEAN found = FALSE; PDV_NETADAPTER_ID newId = NULL; InitializeNetAdapterId(&adapterId, Adapter->IfIndex, Adapter->Luid, NULL); for (ULONG i = 0; i < NetworkAdaptersList->Count; i++) { PDV_NETADAPTER_ENTRY entry = PhReferenceObjectSafe(NetworkAdaptersList->Items[i]); if (!entry) continue; if (EquivalentNetAdapterId(&entry->Id, &adapterId)) { newId = PhAllocate(sizeof(DV_NETADAPTER_ID)); CopyNetAdapterId(newId, &entry->Id); found = TRUE; } PhDereferenceObjectDeferDelete(entry); if (newId) break; } if (!newId) { newId = PhAllocate(sizeof(DV_NETADAPTER_ID)); CopyNetAdapterId(newId, &adapterId); PhMoveReference(&newId->InterfaceGuid, PhConvertMultiByteToUtf16(Adapter->AdapterName)); } lvItemIndex = PhAddListViewItem( Context->ListViewHandle, MAXINT, Adapter->Description, newId ); if (found) ListView_SetItemState(Context->ListViewHandle, lvItemIndex, ITEM_CHECKED, LVIS_STATEIMAGEMASK); DeleteNetAdapterId(&adapterId); }
VOID PhMapDisplayIndexTreeNew( __in HWND TreeNewHandle, __out_opt PULONG *DisplayToId, __out_opt PWSTR **DisplayToText, __out PULONG NumberOfColumns ) { PPH_TREENEW_COLUMN fixedColumn; ULONG numberOfColumns; PULONG displayToId; PWSTR *displayToText; ULONG i; PH_TREENEW_COLUMN column; fixedColumn = TreeNew_GetFixedColumn(TreeNewHandle); numberOfColumns = TreeNew_GetVisibleColumnCount(TreeNewHandle); displayToId = PhAllocate(numberOfColumns * sizeof(ULONG)); if (fixedColumn) { TreeNew_GetColumnOrderArray(TreeNewHandle, numberOfColumns - 1, displayToId + 1); displayToId[0] = fixedColumn->Id; } else { TreeNew_GetColumnOrderArray(TreeNewHandle, numberOfColumns, displayToId); } if (DisplayToText) { displayToText = PhAllocate(numberOfColumns * sizeof(PWSTR)); for (i = 0; i < numberOfColumns; i++) { if (TreeNew_GetColumn(TreeNewHandle, displayToId[i], &column)) { displayToText[i] = column.Text; } } *DisplayToText = displayToText; } if (DisplayToId) *DisplayToId = displayToId; else PhFree(displayToId); *NumberOfColumns = numberOfColumns; }
NTSTATUS PhpGetObjectSecurityWithTimeout( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor ) { NTSTATUS status; ULONG bufferSize; PVOID buffer; bufferSize = 0x100; buffer = PhAllocate(bufferSize); // This is required (especially for File objects) because some drivers don't seem to handle // QuerySecurity properly. memset(buffer, 0, bufferSize); status = PhCallNtQuerySecurityObjectWithTimeout( Handle, SecurityInformation, buffer, bufferSize, &bufferSize ); if (status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); buffer = PhAllocate(bufferSize); memset(buffer, 0, bufferSize); status = PhCallNtQuerySecurityObjectWithTimeout( Handle, SecurityInformation, buffer, bufferSize, &bufferSize ); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *SecurityDescriptor = (PSECURITY_DESCRIPTOR)buffer; return status; }
ICLRDataTarget *DnCLRDataTarget_Create( __in HANDLE ProcessId ) { DnCLRDataTarget *dataTarget; HANDLE processHandle; BOOLEAN isWow64; if (!NT_SUCCESS(PhOpenProcess(&processHandle, ProcessQueryAccess | PROCESS_VM_READ, ProcessId))) return NULL; #ifdef _M_X64 if (!NT_SUCCESS(PhGetProcessIsWow64(processHandle, &isWow64))) { NtClose(processHandle); return NULL; } #else isWow64 = FALSE; #endif dataTarget = PhAllocate(sizeof(DnCLRDataTarget)); dataTarget->VTable = &DnCLRDataTarget_VTable; dataTarget->RefCount = 1; dataTarget->ProcessId = ProcessId; dataTarget->ProcessHandle = processHandle; dataTarget->IsWow64 = isWow64; return (ICLRDataTarget *)dataTarget; }
PCLR_PROCESS_SUPPORT CreateClrProcessSupport( __in HANDLE ProcessId ) { PCLR_PROCESS_SUPPORT support; ICLRDataTarget *dataTarget; IXCLRDataProcess *dataProcess; dataTarget = DnCLRDataTarget_Create(ProcessId); if (!dataTarget) return NULL; dataProcess = NULL; CreateXCLRDataProcess(ProcessId, dataTarget, &dataProcess); ICLRDataTarget_Release(dataTarget); if (!dataProcess) return NULL; support = PhAllocate(sizeof(CLR_PROCESS_SUPPORT)); support->DataProcess = dataProcess; return support; }
PUCHAR PhpReadSignature( _In_ PWSTR FileName, _Out_ PULONG SignatureSize ) { NTSTATUS status; HANDLE fileHandle; PUCHAR signature; ULONG bufferSize; IO_STATUS_BLOCK iosb; if (!NT_SUCCESS(PhCreateFileWin32(&fileHandle, FileName, FILE_GENERIC_READ, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT))) { return NULL; } bufferSize = 1024; signature = PhAllocate(bufferSize); status = NtReadFile(fileHandle, NULL, NULL, NULL, &iosb, signature, bufferSize, NULL, NULL); NtClose(fileHandle); if (NT_SUCCESS(status)) { *SignatureSize = (ULONG)iosb.Information; return signature; } else { PhFree(signature); return NULL; } }
PPH_PLUGIN PhpCreateDisabledPlugin( _In_ PPH_STRINGREF BaseName ) { PPH_PLUGIN plugin; plugin = PhAllocate(sizeof(PH_PLUGIN)); memset(plugin, 0, sizeof(PH_PLUGIN)); plugin->Name.Length = BaseName->Length; plugin->Name.Buffer = PhAllocate(BaseName->Length + sizeof(WCHAR)); memcpy(plugin->Name.Buffer, BaseName->Buffer, BaseName->Length); plugin->Name.Buffer[BaseName->Length / 2] = 0; return plugin; }
PPH_LIST DiskDriveQueryMountPointHandles( _In_ ULONG DeviceNumber ) { ULONG driveMask; PPH_LIST deviceList; WCHAR deviceNameBuffer[7] = L"\\\\.\\?:"; driveMask = DiskDriveQueryDeviceMap(); deviceList = PhCreateList(2); // NOTE: This isn't the best way of doing this but it works. for (INT i = 0; i < 0x1A; i++) { if (driveMask & (0x1 << i)) { HANDLE deviceHandle; deviceNameBuffer[4] = (WCHAR)('A' + i); if (NT_SUCCESS(PhCreateFileWin32( &deviceHandle, deviceNameBuffer, PhGetOwnTokenAttributes().Elevated ? FILE_GENERIC_READ : FILE_READ_ATTRIBUTES | FILE_TRAVERSE | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { ULONG deviceNumber = ULONG_MAX; // Note: Do not initialize to zero. DEVICE_TYPE deviceType = 0; if (NT_SUCCESS(DiskDriveQueryDeviceTypeAndNumber( deviceHandle, &deviceNumber, &deviceType ))) { // BUG: Device numbers are re-used on seperate device controllers and this // causes drive letters to be assigned to disks at those same indexes. // For now, just filter CD_ROM devices but we may need to be a lot more strict and // only allow devices of type FILE_DEVICE_DISK to be scanned for mount points. if (deviceNumber == DeviceNumber && deviceType != FILE_DEVICE_CD_ROM) { PDISK_HANDLE_ENTRY entry = PhAllocate(sizeof(DISK_HANDLE_ENTRY)); memset(entry, 0, sizeof(DISK_HANDLE_ENTRY)); entry->DeviceLetter = deviceNameBuffer[4]; entry->DeviceHandle = deviceHandle; PhAddItemList(deviceList, entry); } } } } } return deviceList; }
/** * Creates a service list property page. * * \param ParentWindowHandle The parent of the service list. * \param Services An array of service items. Each * service item must have a reference that is transferred * to this function. The array must be allocated using * PhAllocate() and must not be freed by the caller; it * will be freed automatically when no longer needed. * \param NumberOfServices The number of service items * in \a Services. */ HWND PhCreateServiceListControl( _In_ HWND ParentWindowHandle, _In_ PPH_SERVICE_ITEM *Services, _In_ ULONG NumberOfServices ) { HWND windowHandle; PPH_SERVICES_CONTEXT servicesContext; servicesContext = PhAllocate(sizeof(PH_SERVICES_CONTEXT)); memset(servicesContext, 0, sizeof(PH_SERVICES_CONTEXT)); servicesContext->Services = Services; servicesContext->NumberOfServices = NumberOfServices; windowHandle = CreateDialogParam( PhInstanceHandle, MAKEINTRESOURCE(IDD_SRVLIST), ParentWindowHandle, PhpServicesPageProc, (LPARAM)servicesContext ); if (!windowHandle) { PhFree(servicesContext); return windowHandle; } return windowHandle; }
PVOID ExtractResourceToBuffer( _In_ PWSTR Resource ) { ULONG resourceLength; HRSRC resourceHandle = NULL; HGLOBAL resourceData; PVOID resourceBuffer; PVOID buffer = NULL; if (!(resourceHandle = FindResource(PhInstanceHandle, Resource, RT_RCDATA))) goto CleanupExit; resourceLength = SizeofResource(PhInstanceHandle, resourceHandle); if (!(resourceData = LoadResource(PhInstanceHandle, resourceHandle))) goto CleanupExit; if (!(resourceBuffer = LockResource(resourceData))) goto CleanupExit; if (!(buffer = PhAllocate(resourceLength))) goto CleanupExit; memcpy(buffer, resourceBuffer, resourceLength); CleanupExit: if (resourceHandle) FreeResource(resourceHandle); return buffer; }
/** * Enables extended list view support for a list view control. * * \param hWnd A handle to the list view control. */ VOID PhSetExtendedListView( _In_ HWND hWnd ) { WNDPROC oldWndProc; PPH_EXTLV_CONTEXT context; oldWndProc = (WNDPROC)GetWindowLongPtr(hWnd, GWLP_WNDPROC); SetWindowLongPtr(hWnd, GWLP_WNDPROC, (LONG_PTR)PhpExtendedListViewWndProc); context = PhAllocate(sizeof(PH_EXTLV_CONTEXT)); context->Handle = hWnd; context->OldWndProc = oldWndProc; context->Context = NULL; context->TriState = FALSE; context->SortColumn = 0; context->SortOrder = AscendingSortOrder; context->SortFast = FALSE; context->TriStateCompareFunction = NULL; memset(context->CompareFunctions, 0, sizeof(context->CompareFunctions)); context->NumberOfFallbackColumns = 0; context->ItemColorFunction = NULL; context->ItemFontFunction = NULL; context->EnableRedraw = 1; context->Cursor = NULL; SetProp(hWnd, PhpMakeExtLvContextAtom(), (HANDLE)context); ExtendedListView_Init(hWnd); }
static NTSTATUS PhEnumAtomTable( _Out_ PATOM_TABLE_INFORMATION* AtomTable ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = 0x1000; buffer = PhAllocate(bufferSize); memset(buffer, 0, bufferSize); status = NtQueryInformationAtom( RTL_ATOM_INVALID_ATOM, AtomTableInformation, buffer, bufferSize, &bufferSize // Not used... ); if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *AtomTable = buffer; return status; }
VOID PhCreateSearchControl( _In_ HWND Parent, _In_ HWND WindowHandle, _In_opt_ PWSTR BannerText ) { PEDIT_CONTEXT context; context = (PEDIT_CONTEXT)PhAllocate(sizeof(EDIT_CONTEXT)); memset(context, 0, sizeof(EDIT_CONTEXT)); context->WindowHandle = WindowHandle; //PhpSearchInitializeTheme(context); PhpSearchInitializeImages(context); // Set initial text if (BannerText) Edit_SetCueBannerText(context->WindowHandle, BannerText); // Subclass the Edit control window procedure. SetWindowSubclass(context->WindowHandle, PhpSearchWndSubclassProc, 0, (ULONG_PTR)context); // Initialize the theme parameters. SendMessage(context->WindowHandle, WM_THEMECHANGED, 0, 0); }
VOID PhShowMemoryResultsDialog( _In_ HANDLE ProcessId, _In_ PPH_LIST Results ) { HWND windowHandle; PMEMORY_RESULTS_CONTEXT context; ULONG i; context = PhAllocate(sizeof(MEMORY_RESULTS_CONTEXT)); context->ProcessId = ProcessId; context->Results = Results; PhReferenceObject(Results); for (i = 0; i < Results->Count; i++) PhReferenceMemoryResult(Results->Items[i]); windowHandle = CreateDialogParam( PhInstanceHandle, MAKEINTRESOURCE(IDD_MEMRESULTS), NULL, PhpMemoryResultsDlgProc, (LPARAM)context ); ShowWindow(windowHandle, SW_SHOW); }
static NTSTATUS PhQueryAtomTableEntry( _In_ RTL_ATOM Atom, _Out_ PATOM_BASIC_INFORMATION* AtomInfo ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = 0x1000; buffer = PhAllocate(bufferSize); memset(buffer, 0, bufferSize); status = NtQueryInformationAtom( Atom, AtomBasicInformation, buffer, bufferSize, &bufferSize // Not used... ); if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *AtomInfo = buffer; return status; }
PPH_STRING KhspQueryFileName( _In_ LONGLONG ScanId, _In_ USHORT FileNameLength) { HRESULT result; PWCHAR buffer; DWORD bytesReturned; PPH_STRING fileName; struct { ULONG Command; LONGLONG ScanId; } input = { HsCmdQueryFileName, ScanId }; buffer = PhAllocate(FileNameLength); result = FilterSendMessage( HsKhsPortHandle, &input, sizeof(input), buffer, FileNameLength, &bytesReturned); if (SUCCEEDED(result)) fileName = PhCreateStringEx(buffer, FileNameLength); else fileName = NULL; PhFree(buffer); return fileName; }
/** * Sets the object extension size and callbacks for an object type. * * \param AppContext The application context. * \param ObjectType The type of object for which the extension is being registered. * \param ExtensionSize The size of the extension, in bytes. * \param CreateCallback The object creation callback. * \param DeleteCallback The object deletion callback. */ VOID PhEmSetObjectExtension( _Inout_ PPH_EM_APP_CONTEXT AppContext, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ SIZE_T ExtensionSize, _In_opt_ PPH_EM_OBJECT_CALLBACK CreateCallback, _In_opt_ PPH_EM_OBJECT_CALLBACK DeleteCallback ) { PPH_EM_OBJECT_TYPE_STATE objectTypeState; PPH_EM_OBJECT_EXTENSION objectExtension; objectTypeState = &PhEmObjectTypeState[ObjectType]; objectExtension = AppContext->Extensions[ObjectType]; if (!objectExtension) { objectExtension = PhAllocate(sizeof(PH_EM_OBJECT_EXTENSION)); memset(objectExtension, 0, sizeof(PH_EM_OBJECT_EXTENSION)); InsertTailList(&objectTypeState->ExtensionListHead, &objectExtension->ListEntry); AppContext->Extensions[ObjectType] = objectExtension; objectExtension->ExtensionSize = ExtensionSize; objectExtension->ExtensionOffset = objectTypeState->ExtensionOffset; objectTypeState->ExtensionOffset += ExtensionSize; } objectExtension->Callbacks[EmObjectCreate] = CreateCallback; objectExtension->Callbacks[EmObjectDelete] = DeleteCallback; }
static PPH_STRING EspGetServiceSidString( _In_ PPH_STRINGREF ServiceName ) { PSID serviceSid = NULL; UNICODE_STRING serviceNameUs; ULONG serviceSidLength = 0; PPH_STRING sidString = NULL; if (!RtlCreateServiceSid_I) return NULL; PhStringRefToUnicodeString(ServiceName, &serviceNameUs); if (RtlCreateServiceSid_I(&serviceNameUs, serviceSid, &serviceSidLength) == STATUS_BUFFER_TOO_SMALL) { serviceSid = PhAllocate(serviceSidLength); if (NT_SUCCESS(RtlCreateServiceSid_I(&serviceNameUs, serviceSid, &serviceSidLength))) sidString = PhSidToStringSid(serviceSid); PhFree(serviceSid); } return sidString; }
PPH_LIST VirusTotalJsonToResultList( _In_ PVOID JsonObject ) { ULONG i; ULONG arrayLength; PPH_LIST results; if (!(arrayLength = PhGetJsonArrayLength(JsonObject))) return NULL; results = PhCreateList(arrayLength); for (i = 0; i < arrayLength; i++) { PVIRUSTOTAL_API_RESULT result; PVOID jsonArrayObject; if (!(jsonArrayObject = PhGetJsonArrayIndexObject(JsonObject, i))) continue; result = PhAllocate(sizeof(VIRUSTOTAL_API_RESULT)); memset(result, 0, sizeof(VIRUSTOTAL_API_RESULT)); result->FileHash = PhGetJsonValueAsString(jsonArrayObject, "hash"); result->Found = PhGetJsonObjectBool(jsonArrayObject, "found") == TRUE; result->Positives = PhGetJsonValueAsLong64(jsonArrayObject, "positives"); result->Total = PhGetJsonValueAsLong64(jsonArrayObject, "total"); PhAddItemList(results, result); } return results; }
VOID CreateDotNetTraceQueryThread( _In_ HWND WindowHandle, _In_ ULONG ClrVersions, _In_ HANDLE ProcessId ) { HANDLE threadHandle; PASMPAGE_QUERY_CONTEXT context; context = PhAllocate(sizeof(ASMPAGE_QUERY_CONTEXT)); memset(context, 0, sizeof(ASMPAGE_QUERY_CONTEXT)); context->WindowHandle = WindowHandle; context->ClrVersions = ClrVersions; context->ProcessId = ProcessId; context->NodeList = PhCreateList(64); context->NodeRootList = PhCreateList(2); if (threadHandle = PhCreateThread(0, DotNetTraceQueryThreadStart, context)) { NtClose(threadHandle); } else { DestroyDotNetTraceQuery(context); } }
VOID PerformNetworkAction( _In_ PH_NETWORK_ACTION Action, _In_ PPH_NETWORK_ITEM NetworkItem ) { HANDLE dialogThread = INVALID_HANDLE_VALUE; PNETWORK_OUTPUT_CONTEXT context; context = (PNETWORK_OUTPUT_CONTEXT)PhAllocate(sizeof(NETWORK_OUTPUT_CONTEXT)); memset(context, 0, sizeof(NETWORK_OUTPUT_CONTEXT)); context->Action = Action; context->NetworkItem = NetworkItem; context->IpAddress = NetworkItem->RemoteEndpoint.Address; if (context->Action == NETWORK_ACTION_PING) { if (dialogThread = PhCreateThread(0, PhNetworkPingDialogThreadStart, (PVOID)context)) NtClose(dialogThread); } else { if (dialogThread = PhCreateThread(0, PhNetworkOutputDialogThreadStart, (PVOID)context)) NtClose(dialogThread); } }
VOID StatusBarLoadSettings( VOID ) { ULONG64 buttonCount = 0; PPH_STRING settingsString; PH_STRINGREF remaining; PH_STRINGREF part; settingsString = PhaGetStringSetting(SETTING_NAME_STATUSBAR_CONFIG); remaining = settingsString->sr; if (remaining.Length == 0) { // Load default settings StatusBarLoadDefault(); return; } // Query the number of buttons to insert if (!PhSplitStringRefAtChar(&remaining, '|', &part, &remaining)) { // Load default settings StatusBarLoadDefault(); return; } if (!PhStringToInteger64(&part, 10, &buttonCount)) { // Load default settings StatusBarLoadDefault(); return; } StatusBarItemList = PhCreateList((ULONG)buttonCount); for (ULONG i = 0; i < (ULONG)buttonCount; i++) { PH_STRINGREF idPart; ULONG64 idInteger; if (remaining.Length == 0) break; PhSplitStringRefAtChar(&remaining, '|', &idPart, &remaining); if (PhStringToInteger64(&idPart, 10, &idInteger)) { PSTATUSBAR_ITEM statusItem; statusItem = PhAllocate(sizeof(STATUSBAR_ITEM)); memset(statusItem, 0, sizeof(STATUSBAR_ITEM)); statusItem->Id = (ULONG)idInteger; PhInsertItemList(StatusBarItemList, i, statusItem); } } }
/** * Creates a string representation of an access mask. * * \param Access The access mask. * \param AccessEntries An array of access entry structures. You can * call PhGetAccessEntries() to retrieve the access entry structures * for a standard object type. * \param NumberOfAccessEntries The number of elements in \a AccessEntries. * * \return The string representation of \a Access. */ PPH_STRING PhGetAccessString( _In_ ACCESS_MASK Access, _In_ PPH_ACCESS_ENTRY AccessEntries, _In_ ULONG NumberOfAccessEntries ) { PH_STRING_BUILDER stringBuilder; PPH_ACCESS_ENTRY accessEntries; PBOOLEAN matched; ULONG i; ULONG j; PhInitializeStringBuilder(&stringBuilder, 32); // Sort the access entries according to how many access rights they // include. accessEntries = PhAllocateCopy(AccessEntries, NumberOfAccessEntries * sizeof(PH_ACCESS_ENTRY)); qsort(accessEntries, NumberOfAccessEntries, sizeof(PH_ACCESS_ENTRY), PhpAccessEntryCompare); matched = PhAllocate(NumberOfAccessEntries * sizeof(BOOLEAN)); memset(matched, 0, NumberOfAccessEntries * sizeof(BOOLEAN)); for (i = 0; i < NumberOfAccessEntries; i++) { // We make sure we haven't matched this access entry yet. // This ensures that we won't get duplicates, e.g. // FILE_GENERIC_READ includes FILE_READ_DATA, and we // don't want to display both to the user. if ( !matched[i] && ((Access & accessEntries[i].Access) == accessEntries[i].Access) ) { if (accessEntries[i].ShortName) PhAppendStringBuilder2(&stringBuilder, accessEntries[i].ShortName); else PhAppendStringBuilder2(&stringBuilder, accessEntries[i].Name); PhAppendStringBuilder2(&stringBuilder, L", "); // Disable equal or more specific entries. for (j = i; j < NumberOfAccessEntries; j++) { if ((accessEntries[i].Access | accessEntries[j].Access) == accessEntries[i].Access) matched[j] = TRUE; } } } // Remove the trailing ", ". if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); PhFree(matched); PhFree(accessEntries); return PhFinalStringBuilderString(&stringBuilder); }
PPH_STRING PhpaGetAlpcInformation( _In_ HANDLE ThreadId ) { NTSTATUS status; PPH_STRING string = NULL; HANDLE threadHandle; PALPC_SERVER_INFORMATION serverInfo; ULONG bufferLength; if (!NT_SUCCESS(PhOpenThread(&threadHandle, THREAD_QUERY_INFORMATION, ThreadId))) return NULL; bufferLength = 0x110; serverInfo = PhAllocate(bufferLength); serverInfo->In.ThreadHandle = threadHandle; status = NtAlpcQueryInformation(NULL, AlpcServerInformation, serverInfo, bufferLength, &bufferLength); if (status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(serverInfo); serverInfo = PhAllocate(bufferLength); serverInfo->In.ThreadHandle = threadHandle; status = NtAlpcQueryInformation(NULL, AlpcServerInformation, serverInfo, bufferLength, &bufferLength); } if (NT_SUCCESS(status) && serverInfo->Out.ThreadBlocked) { CLIENT_ID clientId; PPH_STRING clientIdName; clientId.UniqueProcess = serverInfo->Out.ConnectedProcessId; clientId.UniqueThread = NULL; clientIdName = PH_AUTO(PhGetClientIdName(&clientId)); string = PhaFormatString(L"ALPC Port: %.*s (%s)", serverInfo->Out.ConnectionPortName.Length / sizeof(WCHAR), serverInfo->Out.ConnectionPortName.Buffer, clientIdName->Buffer); } PhFree(serverInfo); NtClose(threadHandle); return string; }
BOOLEAN PhpGetSignaturesFromStateData( _In_ HANDLE StateData, _Out_ PCERT_CONTEXT **Signatures, _Out_ PULONG NumberOfSignatures ) { PCRYPT_PROVIDER_DATA provData; PCRYPT_PROVIDER_SGNR sgnr; PCERT_CONTEXT *signatures; ULONG i; ULONG numberOfSignatures; ULONG index; provData = WTHelperProvDataFromStateData_I(StateData); if (!provData) { *Signatures = NULL; *NumberOfSignatures = 0; return FALSE; } i = 0; numberOfSignatures = 0; while (sgnr = WTHelperGetProvSignerFromChain_I(provData, i, FALSE, 0)) { if (sgnr->csCertChain != 0) numberOfSignatures++; i++; } if (numberOfSignatures != 0) { signatures = PhAllocate(numberOfSignatures * sizeof(PCERT_CONTEXT)); i = 0; index = 0; while (sgnr = WTHelperGetProvSignerFromChain_I(provData, i, FALSE, 0)) { if (sgnr->csCertChain != 0) signatures[index++] = (PCERT_CONTEXT)CertDuplicateCertificateContext_I(sgnr->pasCertChain[0].pCert); i++; } } else { signatures = NULL; } *Signatures = signatures; *NumberOfSignatures = numberOfSignatures; return TRUE; }