NTSTATUS PhSipLoadMmAddresses(
_In_ PVOID Parameter
)
{
PRTL_PROCESS_MODULES kernelModules;
PPH_SYMBOL_PROVIDER symbolProvider;
PPH_STRING kernelFileName;
PPH_STRING newFileName;
PH_SYMBOL_INFORMATION symbolInfo;
if (NT_SUCCESS(PhEnumKernelModules(&kernelModules)))
{
if (kernelModules->NumberOfModules >= 1)
{
symbolProvider = PhCreateSymbolProvider(NULL);
PhLoadSymbolProviderOptions(symbolProvider);
kernelFileName = PH_AUTO(PhConvertMultiByteToUtf16(kernelModules->Modules[0].FullPathName));
newFileName = PH_AUTO(PhGetFileName(kernelFileName));
PhLoadModuleSymbolProvider(
symbolProvider,
newFileName->Buffer,
(ULONG64)kernelModules->Modules[0].ImageBase,
kernelModules->Modules[0].ImageSize
);
if (PhGetSymbolFromName(
symbolProvider,
L"MmSizeOfPagedPoolInBytes",
&symbolInfo
))
{
MmSizeOfPagedPoolInBytes = (PSIZE_T)symbolInfo.Address;
}
if (PhGetSymbolFromName(
symbolProvider,
L"MmMaximumNonPagedPoolInBytes",
&symbolInfo
))
{
MmMaximumNonPagedPoolInBytes = (PSIZE_T)symbolInfo.Address;
}
PhDereferenceObject(symbolProvider);
}
PhFree(kernelModules);
}
return STATUS_SUCCESS;
}
PPH_THREAD_PROVIDER PhCreateThreadProvider(
__in HANDLE ProcessId
)
{
PPH_THREAD_PROVIDER threadProvider;
if (!NT_SUCCESS(PhCreateObject(
&threadProvider,
sizeof(PH_THREAD_PROVIDER),
0,
PhThreadProviderType
)))
return NULL;
threadProvider->ThreadHashtable = PhCreateHashtable(
sizeof(PPH_THREAD_ITEM),
PhpThreadHashtableCompareFunction,
PhpThreadHashtableHashFunction,
20
);
PhInitializeFastLock(&threadProvider->ThreadHashtableLock);
PhInitializeCallback(&threadProvider->ThreadAddedEvent);
PhInitializeCallback(&threadProvider->ThreadModifiedEvent);
PhInitializeCallback(&threadProvider->ThreadRemovedEvent);
PhInitializeCallback(&threadProvider->UpdatedEvent);
PhInitializeCallback(&threadProvider->LoadingStateChangedEvent);
threadProvider->ProcessId = ProcessId;
threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId);
if (threadProvider->SymbolProvider)
{
if (threadProvider->SymbolProvider->IsRealHandle)
threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle;
}
PhInitializeEvent(&threadProvider->SymbolsLoadedEvent);
threadProvider->SymbolsLoading = 0;
RtlInitializeSListHead(&threadProvider->QueryListHead);
threadProvider->RunId = 1;
// Begin loading symbols for the process' modules.
PhReferenceObject(threadProvider);
PhpQueueThreadWorkQueueItem(PhpThreadProviderLoadSymbols, threadProvider);
return threadProvider;
}
VOID PhShowNetworkStackDialog(
_In_ HWND ParentWindowHandle,
_In_ PPH_NETWORK_ITEM NetworkItem
)
{
NETWORK_STACK_CONTEXT networkStackContext;
networkStackContext.NetworkItem = NetworkItem;
networkStackContext.SymbolProvider = PhCreateSymbolProvider(NetworkItem->ProcessId);
if (networkStackContext.SymbolProvider->IsRealHandle)
{
// Load symbols for the process.
networkStackContext.LoadingProcessId = NetworkItem->ProcessId;
PhEnumGenericModules(
NetworkItem->ProcessId,
networkStackContext.SymbolProvider->ProcessHandle,
0,
LoadSymbolsEnumGenericModulesCallback,
&networkStackContext
);
// Load symbols for kernel-mode.
networkStackContext.LoadingProcessId = SYSTEM_PROCESS_ID;
PhEnumGenericModules(
SYSTEM_PROCESS_ID,
NULL,
0,
LoadSymbolsEnumGenericModulesCallback,
&networkStackContext
);
}
else
{
PhDereferenceObject(networkStackContext.SymbolProvider);
PhShowError(ParentWindowHandle, L"Unable to open the process.");
return;
}
DialogBoxParam(
PhInstanceHandle,
MAKEINTRESOURCE(IDD_NETSTACK),
ParentWindowHandle,
PhpNetworkStackDlgProc,
(LPARAM)&networkStackContext
);
PhDereferenceObject(networkStackContext.SymbolProvider);
}
PPH_THREAD_PROVIDER PhCreateThreadProvider(
_In_ HANDLE ProcessId
)
{
PPH_THREAD_PROVIDER threadProvider;
threadProvider = PhCreateObject(
PhEmGetObjectSize(EmThreadProviderType, sizeof(PH_THREAD_PROVIDER)),
PhThreadProviderType
);
memset(threadProvider, 0, sizeof(PH_THREAD_PROVIDER));
threadProvider->ThreadHashtable = PhCreateHashtable(
sizeof(PPH_THREAD_ITEM),
PhpThreadHashtableEqualFunction,
PhpThreadHashtableHashFunction,
20
);
PhInitializeFastLock(&threadProvider->ThreadHashtableLock);
PhInitializeCallback(&threadProvider->ThreadAddedEvent);
PhInitializeCallback(&threadProvider->ThreadModifiedEvent);
PhInitializeCallback(&threadProvider->ThreadRemovedEvent);
PhInitializeCallback(&threadProvider->UpdatedEvent);
PhInitializeCallback(&threadProvider->LoadingStateChangedEvent);
threadProvider->ProcessId = ProcessId;
threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId);
if (threadProvider->SymbolProvider)
{
if (threadProvider->SymbolProvider->IsRealHandle)
threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle;
}
RtlInitializeSListHead(&threadProvider->QueryListHead);
PhInitializeQueuedLock(&threadProvider->LoadSymbolsLock);
threadProvider->RunId = 1;
threadProvider->SymbolsLoadedRunId = 0; // Force symbols to be loaded the first time we try to resolve an address
PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectCreate);
return threadProvider;
}
INT_PTR CALLBACK EtpWsWatchDlgProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
PWS_WATCH_CONTEXT context;
if (uMsg == WM_INITDIALOG)
{
context = (PWS_WATCH_CONTEXT)lParam;
SetProp(hwndDlg, L"Context", (HANDLE)context);
}
else
{
context = (PWS_WATCH_CONTEXT)GetProp(hwndDlg, L"Context");
if (uMsg == WM_DESTROY)
RemoveProp(hwndDlg, L"Context");
}
if (!context)
return FALSE;
switch (uMsg)
{
case WM_INITDIALOG:
{
HWND lvHandle;
PhCenterWindow(hwndDlg, GetParent(hwndDlg));
context->WindowHandle = hwndDlg;
context->ListViewHandle = lvHandle = GetDlgItem(hwndDlg, IDC_LIST);
PhSetListViewStyle(lvHandle, FALSE, TRUE);
PhSetControlTheme(lvHandle, L"explorer");
PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 340, L"Instruction");
PhAddListViewColumn(lvHandle, 1, 1, 1, LVCFMT_LEFT, 80, L"Count");
PhSetExtendedListView(lvHandle);
ExtendedListView_SetSort(lvHandle, 1, DescendingSortOrder);
context->Hashtable = PhCreateSimpleHashtable(64);
context->BufferSize = 0x2000;
context->Buffer = PhAllocate(context->BufferSize);
PhInitializeQueuedLock(&context->ResultListLock);
context->SymbolProvider = PhCreateSymbolProvider(context->ProcessItem->ProcessId);
PhLoadSymbolProviderOptions(context->SymbolProvider);
if (!context->SymbolProvider || !context->SymbolProvider->IsRealHandle)
{
PhShowError(hwndDlg, L"Unable to open the process.");
EndDialog(hwndDlg, IDCANCEL);
break;
}
context->ProcessHandle = context->SymbolProvider->ProcessHandle;
// Load symbols for both process and kernel modules.
context->LoadingSymbolsForProcessId = context->ProcessItem->ProcessId;
PhEnumGenericModules(
NULL,
context->ProcessHandle,
0,
EnumGenericModulesCallback,
context
);
context->LoadingSymbolsForProcessId = SYSTEM_PROCESS_ID;
PhEnumGenericModules(
SYSTEM_PROCESS_ID,
NULL,
0,
EnumGenericModulesCallback,
context
);
context->Enabled = EtpUpdateWsWatch(hwndDlg, context);
if (context->Enabled)
{
// WS Watch is already enabled for the process. Enable updating.
EnableWindow(GetDlgItem(hwndDlg, IDC_ENABLE), FALSE);
ShowWindow(GetDlgItem(hwndDlg, IDC_WSWATCHENABLED), SW_SHOW);
SetTimer(hwndDlg, 1, 1000, NULL);
}
else
{
// WS Watch has not yet been enabled for the process.
}
}
break;
case WM_DESTROY:
{
context->Destroying = TRUE;
PhDereferenceObject(context->Hashtable);
if (context->Buffer)
{
PhFree(context->Buffer);
context->Buffer = NULL;
}
}
break;
case WM_COMMAND:
{
switch (LOWORD(wParam))
{
case IDCANCEL:
case IDOK:
EndDialog(hwndDlg, IDOK);
break;
case IDC_ENABLE:
{
NTSTATUS status;
HANDLE processHandle;
if (NT_SUCCESS(status = PhOpenProcess(
&processHandle,
PROCESS_SET_INFORMATION,
context->ProcessItem->ProcessId
)))
{
status = NtSetInformationProcess(
processHandle,
ProcessWorkingSetWatchEx,
NULL,
0
);
NtClose(processHandle);
}
if (NT_SUCCESS(status))
{
EnableWindow(GetDlgItem(hwndDlg, IDC_ENABLE), FALSE);
ShowWindow(GetDlgItem(hwndDlg, IDC_WSWATCHENABLED), SW_SHOW);
SetTimer(hwndDlg, 1, 1000, NULL);
}
else
{
PhShowStatus(hwndDlg, L"Unable to enable WS watch", status, 0);
}
}
break;
}
}
break;
case WM_NOTIFY:
{
PhHandleListViewNotifyForCopy(lParam, context->ListViewHandle);
}
break;
case WM_TIMER:
{
switch (wParam)
{
case 1:
{
EtpUpdateWsWatch(hwndDlg, context);
}
break;
}
}
break;
}
return FALSE;
}
INT_PTR CALLBACK EtpTpWorkerFactoryPageDlgProc(
__in HWND hwndDlg,
__in UINT uMsg,
__in WPARAM wParam,
__in LPARAM lParam
)
{
switch (uMsg)
{
case WM_INITDIALOG:
{
LPPROPSHEETPAGE propSheetPage = (LPPROPSHEETPAGE)lParam;
PCOMMON_PAGE_CONTEXT context = (PCOMMON_PAGE_CONTEXT)propSheetPage->lParam;
HANDLE workerFactoryHandle;
if (NT_SUCCESS(EtpDuplicateHandleFromProcess(&workerFactoryHandle, WORKER_FACTORY_QUERY_INFORMATION, context)))
{
WORKER_FACTORY_BASIC_INFORMATION basicInfo;
if (NT_SUCCESS(NtQueryInformationWorkerFactory(
workerFactoryHandle,
WorkerFactoryBasicInformation,
&basicInfo,
sizeof(WORKER_FACTORY_BASIC_INFORMATION),
NULL
)))
{
PPH_SYMBOL_PROVIDER symbolProvider;
PPH_STRING symbol = NULL;
symbolProvider = PhCreateSymbolProvider(basicInfo.ProcessId);
PhLoadSymbolProviderOptions(symbolProvider);
if (symbolProvider->IsRealHandle)
{
PhEnumGenericModules(basicInfo.ProcessId, symbolProvider->ProcessHandle,
0, EnumGenericModulesCallback, symbolProvider);
symbol = PhGetSymbolFromAddress(symbolProvider, (ULONG64)basicInfo.StartRoutine,
NULL, NULL, NULL, NULL);
}
PhDereferenceObject(symbolProvider);
if (symbol)
{
SetDlgItemText(hwndDlg, IDC_WORKERTHREADSTART,
PhaFormatString(L"Worker Thread Start: %s", symbol->Buffer)->Buffer);
PhDereferenceObject(symbol);
}
else
{
SetDlgItemText(hwndDlg, IDC_WORKERTHREADSTART,
PhaFormatString(L"Worker Thread Start: 0x%Ix", basicInfo.StartRoutine)->Buffer);
}
SetDlgItemText(hwndDlg, IDC_WORKERTHREADCONTEXT,
PhaFormatString(L"Worker Thread Context: 0x%Ix", basicInfo.StartParameter)->Buffer);
}
NtClose(workerFactoryHandle);
}
}
break;
}
return FALSE;
}
