/**
* Determines the type of a process based on its image file name.
*
* \param ProcessHandle A handle to a process.
* \param KnownProcessType A variable which receives the process
* type.
*/
NTSTATUS PhGetProcessKnownType(
__in HANDLE ProcessHandle,
__out PH_KNOWN_PROCESS_TYPE *KnownProcessType
)
{
NTSTATUS status;
PH_KNOWN_PROCESS_TYPE knownProcessType;
PROCESS_BASIC_INFORMATION basicInfo;
PH_STRINGREF systemRootPrefix;
PPH_STRING fileName;
PPH_STRING newFileName;
PH_STRINGREF name;
#ifdef _M_X64
BOOLEAN isWow64 = FALSE;
#endif
if (!NT_SUCCESS(status = PhGetProcessBasicInformation(
ProcessHandle,
&basicInfo
)))
return status;
if (basicInfo.UniqueProcessId == SYSTEM_PROCESS_ID)
{
*KnownProcessType = SystemProcessType;
return STATUS_SUCCESS;
}
PhGetSystemRoot(&systemRootPrefix);
if (!NT_SUCCESS(status = PhGetProcessImageFileName(
ProcessHandle,
&fileName
)))
{
return status;
}
newFileName = PhGetFileName(fileName);
PhDereferenceObject(fileName);
name = newFileName->sr;
knownProcessType = UnknownProcessType;
if (PhStartsWithStringRef(&name, &systemRootPrefix, TRUE))
{
// Skip the system root, and we now have three cases:
// 1. \\xyz.exe - Windows executable.
// 2. \\System32\\xyz.exe - system32 executable.
// 3. \\SysWow64\\xyz.exe - system32 executable + WOW64.
name.Buffer += systemRootPrefix.Length / 2;
name.Length -= systemRootPrefix.Length;
if (PhEqualStringRef2(&name, L"\\explorer.exe", TRUE))
{
knownProcessType = ExplorerProcessType;
}
else if (
PhStartsWithStringRef2(&name, L"\\System32", TRUE)
#ifdef _M_X64
|| (PhStartsWithStringRef2(&name, L"\\SysWow64", TRUE) && (isWow64 = TRUE, TRUE)) // ugly but necessary
#endif
)
{
// SysTem32 and SysWow64 are both 8 characters long.
name.Buffer += 9;
name.Length -= 9 * 2;
if (FALSE)
; // Dummy
else if (PhEqualStringRef2(&name, L"\\smss.exe", TRUE))
knownProcessType = SessionManagerProcessType;
else if (PhEqualStringRef2(&name, L"\\csrss.exe", TRUE))
knownProcessType = WindowsSubsystemProcessType;
else if (PhEqualStringRef2(&name, L"\\wininit.exe", TRUE))
knownProcessType = WindowsStartupProcessType;
else if (PhEqualStringRef2(&name, L"\\services.exe", TRUE))
knownProcessType = ServiceControlManagerProcessType;
else if (PhEqualStringRef2(&name, L"\\lsass.exe", TRUE))
knownProcessType = LocalSecurityAuthorityProcessType;
else if (PhEqualStringRef2(&name, L"\\lsm.exe", TRUE))
knownProcessType = LocalSessionManagerProcessType;
else if (PhEqualStringRef2(&name, L"\\winlogon.exe", TRUE))
knownProcessType = WindowsLogonProcessType;
else if (PhEqualStringRef2(&name, L"\\svchost.exe", TRUE))
knownProcessType = ServiceHostProcessType;
else if (PhEqualStringRef2(&name, L"\\rundll32.exe", TRUE))
knownProcessType = RunDllAsAppProcessType;
else if (PhEqualStringRef2(&name, L"\\dllhost.exe", TRUE))
knownProcessType = ComSurrogateProcessType;
else if (PhEqualStringRef2(&name, L"\\taskeng.exe", TRUE))
knownProcessType = TaskHostProcessType;
else if (PhEqualStringRef2(&name, L"\\taskhost.exe", TRUE))
knownProcessType = TaskHostProcessType;
}
}
PhDereferenceObject(newFileName);
#ifdef _M_X64
if (isWow64)
knownProcessType |= KnownProcessWow64;
#endif
*KnownProcessType = knownProcessType;
return status;
}
PPH_STRING PhFormatNativeKeyName(
__in PPH_STRING Name
)
{
static PH_STRINGREF hklmPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine");
static PH_STRINGREF hkcrPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine\\Software\\Classes");
static PH_STRINGREF hkuPrefix = PH_STRINGREF_INIT(L"\\Registry\\User");
static PPH_STRING hkcuPrefix;
static PPH_STRING hkcucrPrefix;
static PH_STRINGREF hklmString = PH_STRINGREF_INIT(L"HKLM");
static PH_STRINGREF hkcrString = PH_STRINGREF_INIT(L"HKCR");
static PH_STRINGREF hkuString = PH_STRINGREF_INIT(L"HKU");
static PH_STRINGREF hkcuString = PH_STRINGREF_INIT(L"HKCU");
static PH_STRINGREF hkcucrString = PH_STRINGREF_INIT(L"HKCU\\Software\\Classes");
static PH_INITONCE initOnce = PH_INITONCE_INIT;
PPH_STRING newName;
PH_STRINGREF name;
if (PhBeginInitOnce(&initOnce))
{
PTOKEN_USER tokenUser;
PPH_STRING stringSid = NULL;
if (PhCurrentTokenQueryHandle)
{
if (NT_SUCCESS(PhGetTokenUser(
PhCurrentTokenQueryHandle,
&tokenUser
)))
{
stringSid = PhSidToStringSid(tokenUser->User.Sid);
PhFree(tokenUser);
}
}
if (stringSid)
{
static PH_STRINGREF registryUserPrefix = PH_STRINGREF_INIT(L"\\Registry\\User\\");
static PH_STRINGREF classesString = PH_STRINGREF_INIT(L"_Classes");
hkcuPrefix = PhConcatStringRef2(®istryUserPrefix, &stringSid->sr);
hkcucrPrefix = PhConcatStringRef2(&hkcuPrefix->sr, &classesString);
PhDereferenceObject(stringSid);
}
else
{
hkcuPrefix = PhCreateString(L"..."); // some random string that won't ever get matched
hkcucrPrefix = PhCreateString(L"...");
}
PhEndInitOnce(&initOnce);
}
name = Name->sr;
if (PhStartsWithStringRef(&name, &hkcrPrefix, TRUE))
{
name.Buffer += hkcrPrefix.Length / sizeof(WCHAR);
name.Length -= hkcrPrefix.Length;
newName = PhConcatStringRef2(&hkcrString, &name);
}
else if (PhStartsWithStringRef(&name, &hklmPrefix, TRUE))
{
name.Buffer += hklmPrefix.Length / sizeof(WCHAR);
name.Length -= hklmPrefix.Length;
newName = PhConcatStringRef2(&hklmString, &name);
}
else if (PhStartsWithStringRef(&name, &hkcucrPrefix->sr, TRUE))
{
name.Buffer += hkcucrPrefix->Length / sizeof(WCHAR);
name.Length -= hkcucrPrefix->Length;
newName = PhConcatStringRef2(&hkcucrString, &name);
}
else if (PhStartsWithStringRef(&name, &hkcuPrefix->sr, TRUE))
{
name.Buffer += hkcuPrefix->Length / sizeof(WCHAR);
name.Length -= hkcuPrefix->Length;
newName = PhConcatStringRef2(&hkcuString, &name);
}
else if (PhStartsWithStringRef(&name, &hkuPrefix, TRUE))
{
name.Buffer += hkuPrefix.Length / sizeof(WCHAR);
name.Length -= hkuPrefix.Length;
newName = PhConcatStringRef2(&hkuString, &name);
}
else
{
newName = Name;
PhReferenceObject(Name);
}
return newName;
}
/**
* Finds a child menu item.
*
* \param Item The parent menu item.
* \param Flags A combination of the following:
* \li \c PH_EMENU_FIND_DESCEND Searches recursively within child
* menu items.
* \li \c PH_EMENU_FIND_STARTSWITH Performs a partial text search
* instead of an exact search.
* \li \c PH_EMENU_FIND_LITERAL Performs a literal search instead of
* ignoring prefix characters (ampersands).
* \param Text The text of the menu item to find. If NULL, the text
* is ignored.
* \param Id The identifier of the menu item to find. If 0, the
* identifier is ignored.
*
* \return The found menu item, or NULL if the menu item could not
* be found.
*/
PPH_EMENU_ITEM PhFindEMenuItem(
__in PPH_EMENU_ITEM Item,
__in ULONG Flags,
__in_opt PWSTR Text,
__in_opt ULONG Id
)
{
ULONG i;
PH_STRINGREF searchText;
if (!Item->Items)
return NULL;
if (Text && (Flags & PH_EMENU_FIND_LITERAL))
PhInitializeStringRef(&searchText, Text);
for (i = 0; i < Item->Items->Count; i++)
{
PPH_EMENU_ITEM item;
item = Item->Items->Items[i];
if (Text)
{
if (Flags & PH_EMENU_FIND_LITERAL)
{
PH_STRINGREF text;
PhInitializeStringRef(&text, item->Text);
if (Flags & PH_EMENU_FIND_STARTSWITH)
{
if (PhStartsWithStringRef(&text, &searchText, TRUE))
return item;
}
else
{
if (PhEqualStringRef(&text, &searchText, TRUE))
return item;
}
}
else
{
if (PhCompareUnicodeStringZIgnoreMenuPrefix(Text, item->Text,
TRUE, !!(Flags & PH_EMENU_FIND_STARTSWITH)) == 0)
return item;
}
}
if (Id && item->Id == Id)
return item;
if (Flags & PH_EMENU_FIND_DESCEND)
{
PPH_EMENU_ITEM foundItem;
foundItem = PhFindEMenuItem(item, Flags, Text, Id);
if (foundItem)
return foundItem;
}
}
return NULL;
}
/**
* Finds a child menu item.
*
* \param Item The parent menu item.
* \param Flags A combination of the following:
* \li \c PH_EMENU_FIND_DESCEND Searches recursively within child menu items.
* \li \c PH_EMENU_FIND_STARTSWITH Performs a partial text search instead of an exact search.
* \li \c PH_EMENU_FIND_LITERAL Performs a literal search instead of ignoring prefix characters
* (ampersands).
* \param Text The text of the menu item to find. If NULL, the text is ignored.
* \param Id The identifier of the menu item to find. If 0, the identifier is ignored.
* \param FoundParent A variable which receives the parent of the found menu item.
* \param FoundIndex A variable which receives the index of the found menu item.
*
* \return The found menu item, or NULL if the menu item could not be found.
*/
PPH_EMENU_ITEM PhFindEMenuItemEx(
_In_ PPH_EMENU_ITEM Item,
_In_ ULONG Flags,
_In_opt_ PWSTR Text,
_In_opt_ ULONG Id,
_Out_opt_ PPH_EMENU_ITEM *FoundParent,
_Out_opt_ PULONG FoundIndex
)
{
PH_STRINGREF searchText;
ULONG i;
PPH_EMENU_ITEM item;
if (!Item->Items)
return NULL;
if (Text && (Flags & PH_EMENU_FIND_LITERAL))
PhInitializeStringRef(&searchText, Text);
for (i = 0; i < Item->Items->Count; i++)
{
item = Item->Items->Items[i];
if (Text)
{
if (Flags & PH_EMENU_FIND_LITERAL)
{
PH_STRINGREF text;
PhInitializeStringRef(&text, item->Text);
if (Flags & PH_EMENU_FIND_STARTSWITH)
{
if (PhStartsWithStringRef(&text, &searchText, TRUE))
goto FoundItemHere;
}
else
{
if (PhEqualStringRef(&text, &searchText, TRUE))
goto FoundItemHere;
}
}
else
{
if (PhCompareUnicodeStringZIgnoreMenuPrefix(Text, item->Text,
TRUE, !!(Flags & PH_EMENU_FIND_STARTSWITH)) == 0)
goto FoundItemHere;
}
}
if (Id && item->Id == Id)
goto FoundItemHere;
if (Flags & PH_EMENU_FIND_DESCEND)
{
PPH_EMENU_ITEM foundItem;
PPH_EMENU_ITEM foundParent;
ULONG foundIndex;
foundItem = PhFindEMenuItemEx(item, Flags, Text, Id, &foundParent, &foundIndex);
if (foundItem)
{
if (FoundParent)
*FoundParent = foundParent;
if (FoundIndex)
*FoundIndex = foundIndex;
return foundItem;
}
}
}
return NULL;
FoundItemHere:
if (FoundParent)
*FoundParent = Item;
if (FoundIndex)
*FoundIndex = i;
return item;
}
