PVOID GetLegacyBlockTableEntry(
_In_ BOOLEAN Wow64,
_In_ PVOID IpcBlockAddress,
_In_ ULONG EntryId
)
{
if (Wow64)
{
LegacyPrivateIPCControlBlock_Wow64* IpcBlock = IpcBlockAddress;
// skip over directory (variable size)
ULONG offsetBase = IPC_ENTRY_OFFSET_BASE_X86 + IpcBlock->FullIPCHeader.Header.NumEntries * sizeof(IPCEntry);
// Directory has offset in bytes of block
ULONG offsetEntry = IpcBlock->FullIPCHeader.EntryTable[EntryId].Offset;
return PTR_ADD_OFFSET(IpcBlock, offsetBase + offsetEntry);
}
else
{
LegacyPrivateIPCControlBlock* IpcBlock = IpcBlockAddress;
// skip over directory (variable size)
ULONG offsetBase = IPC_ENTRY_OFFSET_BASE_X64 + IpcBlock->FullIPCHeader.Header.NumEntries * sizeof(IPCEntry);
// Directory has offset in bytes of block
ULONG offsetEntry = IpcBlock->FullIPCHeader.EntryTable[EntryId].Offset;
return PTR_ADD_OFFSET(IpcBlock, offsetBase + offsetEntry);
}
}
VOID ShowLatestVersionDialog(
_In_ PPH_UPDATER_CONTEXT Context
)
{
TASKDIALOGCONFIG config;
LARGE_INTEGER time;
SYSTEMTIME systemTime = { 0 };
PIMAGE_DOS_HEADER imageDosHeader;
PIMAGE_NT_HEADERS imageNtHeader;
memset(&config, 0, sizeof(TASKDIALOGCONFIG));
config.cbSize = sizeof(TASKDIALOGCONFIG);
config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_CAN_BE_MINIMIZED | TDF_ENABLE_HYPERLINKS | TDF_EXPAND_FOOTER_AREA;
config.dwCommonButtons = TDCBF_CLOSE_BUTTON;
config.hMainIcon = Context->IconLargeHandle;
config.cxWidth = 200;
config.pfCallback = FinalTaskDialogCallbackProc;
config.lpCallbackData = (LONG_PTR)Context;
// HACK
imageDosHeader = (PIMAGE_DOS_HEADER)NtCurrentPeb()->ImageBaseAddress;
imageNtHeader = (PIMAGE_NT_HEADERS)PTR_ADD_OFFSET(imageDosHeader, imageDosHeader->e_lfanew);
RtlSecondsSince1970ToTime(imageNtHeader->FileHeader.TimeDateStamp, &time);
PhLargeIntegerToLocalSystemTime(&systemTime, &time);
config.pszWindowTitle = L"Process Hacker - Updater";
config.pszMainInstruction = L"You're running the latest version.";
config.pszContent = PhaFormatString(
L"Version: v%s\r\nCompiled: %s\r\n\r\n<A HREF=\"changelog.txt\">View Changelog</A>",
PhGetStringOrEmpty(Context->CurrentVersionString),
PhaFormatDateTime(&systemTime)->Buffer
)->Buffer;
TaskDialogNavigatePage(Context->DialogHandle, &config);
}
/**
* Gets the next archive member.
*
* \param Member An archive member structure.
* \param NextMember A variable which receives a structure describing the next archive member. This
* pointer may be the same as the pointer specified in \a Member.
*/
NTSTATUS PhGetNextMappedArchiveMember(
_In_ PPH_MAPPED_ARCHIVE_MEMBER Member,
_Out_ PPH_MAPPED_ARCHIVE_MEMBER NextMember
)
{
PIMAGE_ARCHIVE_MEMBER_HEADER nextHeader;
nextHeader = (PIMAGE_ARCHIVE_MEMBER_HEADER)PTR_ADD_OFFSET(
Member->Data,
Member->Size
);
// 2 byte alignment.
if ((ULONG_PTR)nextHeader & 0x1)
nextHeader = (PIMAGE_ARCHIVE_MEMBER_HEADER)PTR_ADD_OFFSET(nextHeader, 1);
return PhpGetMappedArchiveMemberFromHeader(
Member->MappedArchive,
nextHeader,
NextMember
);
}
NTSTATUS PhGetMappedArchiveImportEntry(
_In_ PPH_MAPPED_ARCHIVE_MEMBER Member,
_Out_ PPH_MAPPED_ARCHIVE_IMPORT_ENTRY Entry
)
{
IMPORT_OBJECT_HEADER *importHeader;
importHeader = (IMPORT_OBJECT_HEADER *)Member->Data;
if (Member->Type != NormalArchiveMemberType)
return STATUS_INVALID_PARAMETER;
if (
importHeader->Sig1 != IMAGE_FILE_MACHINE_UNKNOWN ||
importHeader->Sig2 != IMPORT_OBJECT_HDR_SIG2
)
return STATUS_INVALID_PARAMETER;
Entry->Type = (BYTE)importHeader->Type;
Entry->NameType = (BYTE)importHeader->NameType;
Entry->Machine = importHeader->Machine;
// TODO: Probe the name.
Entry->Name = (PSTR)PTR_ADD_OFFSET(importHeader, sizeof(IMPORT_OBJECT_HEADER));
Entry->DllName = (PSTR)PTR_ADD_OFFSET(Entry->Name, strlen(Entry->Name) + 1);
// Ordinal/NameHint are union'ed, so these statements are exactly the same.
// It's there in case this changes in the future.
if (Entry->NameType == IMPORT_OBJECT_ORDINAL)
{
Entry->Ordinal = importHeader->Ordinal;
}
else
{
Entry->NameHint = importHeader->Hint;
}
return STATUS_SUCCESS;
}
static NTSTATUS NTAPI TerminatorM2(
_In_ HANDLE ProcessId
)
{
NTSTATUS status;
HANDLE processHandle;
if (NT_SUCCESS(status = PhOpenProcess(
&processHandle,
PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION,
ProcessId
)))
{
PVOID baseAddress;
MEMORY_BASIC_INFORMATION basicInfo;
ULONG oldProtect;
baseAddress = (PVOID)0;
while (NT_SUCCESS(NtQueryVirtualMemory(
processHandle,
baseAddress,
MemoryBasicInformation,
&basicInfo,
sizeof(MEMORY_BASIC_INFORMATION),
NULL
)))
{
SIZE_T regionSize;
regionSize = basicInfo.RegionSize;
NtProtectVirtualMemory(
processHandle,
&basicInfo.BaseAddress,
®ionSize,
PAGE_NOACCESS,
&oldProtect
);
baseAddress = PTR_ADD_OFFSET(baseAddress, basicInfo.RegionSize);
}
NtClose(processHandle);
}
return status;
}
NTSTATUS PhGetProcessDefaultHeap(
__in HANDLE ProcessHandle,
__out PPVOID Heap
)
{
NTSTATUS status;
PROCESS_BASIC_INFORMATION basicInfo;
if (!NT_SUCCESS(status = PhGetProcessBasicInformation(
ProcessHandle,
&basicInfo
)))
return status;
return status = PhReadVirtualMemory(
ProcessHandle,
PTR_ADD_OFFSET(basicInfo.PebBaseAddress, FIELD_OFFSET(PEB, ProcessHeap)),
Heap,
sizeof(PVOID),
NULL
);
}
PVOID PhMappedImageRvaToVa(
_In_ PPH_MAPPED_IMAGE MappedImage,
_In_ ULONG Rva,
_Out_opt_ PIMAGE_SECTION_HEADER *Section
)
{
PIMAGE_SECTION_HEADER section;
section = PhMappedImageRvaToSection(MappedImage, Rva);
if (!section)
return NULL;
if (Section)
*Section = section;
return PTR_ADD_OFFSET(
MappedImage->ViewBase,
(Rva - section->VirtualAddress) +
section->PointerToRawData
);
}
NTSTATUS PhGetThreadServiceTag(
_In_ HANDLE ThreadHandle,
_In_opt_ HANDLE ProcessHandle,
_Out_ PVOID *ServiceTag
)
{
NTSTATUS status;
THREAD_BASIC_INFORMATION basicInfo;
BOOLEAN openedProcessHandle = FALSE;
if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo)))
return status;
if (!ProcessHandle)
{
if (!NT_SUCCESS(status = PhOpenThreadProcess(
ThreadHandle,
PROCESS_VM_READ,
&ProcessHandle
)))
return status;
openedProcessHandle = TRUE;
}
status = NtReadVirtualMemory(
ProcessHandle,
PTR_ADD_OFFSET(basicInfo.TebBaseAddress, FIELD_OFFSET(TEB, SubProcessTag)),
ServiceTag,
sizeof(PVOID),
NULL
);
if (openedProcessHandle)
NtClose(ProcessHandle);
return status;
}
VOID PhSvcHandleConnectionRequest(
_In_ PPORT_MESSAGE PortMessage
)
{
NTSTATUS status;
PPHSVC_API_MSG message;
PPHSVC_API_MSG64 message64;
CLIENT_ID clientId;
PPHSVC_CLIENT client;
HANDLE portHandle;
REMOTE_PORT_VIEW clientView;
REMOTE_PORT_VIEW64 clientView64;
PREMOTE_PORT_VIEW actualClientView;
message = (PPHSVC_API_MSG)PortMessage;
message64 = (PPHSVC_API_MSG64)PortMessage;
if (PhIsExecutingInWow64())
{
clientId.UniqueProcess = (HANDLE)message64->h.ClientId.UniqueProcess;
clientId.UniqueThread = (HANDLE)message64->h.ClientId.UniqueThread;
}
else
{
PPH_STRING referenceFileName;
PPH_STRING remoteFileName;
clientId = message->h.ClientId;
// Make sure that the remote process is Process Hacker itself and not some other program.
referenceFileName = NULL;
PhGetProcessImageFileNameByProcessId(NtCurrentProcessId(), &referenceFileName);
PH_AUTO(referenceFileName);
remoteFileName = NULL;
PhGetProcessImageFileNameByProcessId(clientId.UniqueProcess, &remoteFileName);
PH_AUTO(remoteFileName);
if (!referenceFileName || !remoteFileName || !PhEqualString(referenceFileName, remoteFileName, TRUE))
{
NtAcceptConnectPort(&portHandle, NULL, PortMessage, FALSE, NULL, NULL);
return;
}
}
client = PhSvcCreateClient(&clientId);
if (!client)
{
NtAcceptConnectPort(&portHandle, NULL, PortMessage, FALSE, NULL, NULL);
return;
}
if (PhIsExecutingInWow64())
{
message64->p.ConnectInfo.ServerProcessId = HandleToUlong(NtCurrentProcessId());
clientView64.Length = sizeof(REMOTE_PORT_VIEW64);
clientView64.ViewSize = 0;
clientView64.ViewBase = 0;
actualClientView = (PREMOTE_PORT_VIEW)&clientView64;
}
else
{
message->p.ConnectInfo.ServerProcessId = HandleToUlong(NtCurrentProcessId());
clientView.Length = sizeof(REMOTE_PORT_VIEW);
clientView.ViewSize = 0;
clientView.ViewBase = NULL;
actualClientView = &clientView;
}
status = NtAcceptConnectPort(
&portHandle,
client,
PortMessage,
TRUE,
NULL,
actualClientView
);
if (!NT_SUCCESS(status))
{
PhDereferenceObject(client);
return;
}
// IMPORTANT: Since Vista, NtCompleteConnectPort does not do anything and simply returns STATUS_SUCCESS.
// We will call it anyway (for completeness), but we need to use an event to ensure that other threads don't try
// to process requests before we have finished setting up the client object.
client->PortHandle = portHandle;
if (PhIsExecutingInWow64())
{
client->ClientViewBase = (PVOID)clientView64.ViewBase;
client->ClientViewLimit = PTR_ADD_OFFSET(clientView64.ViewBase, clientView64.ViewSize);
}
else
{
client->ClientViewBase = clientView.ViewBase;
client->ClientViewLimit = PTR_ADD_OFFSET(clientView.ViewBase, clientView.ViewSize);
}
NtCompleteConnectPort(portHandle);
PhSetEvent(&client->ReadyEvent);
if (_InterlockedIncrement(&PhSvcApiNumberOfClients) == 1)
{
NtSetEvent(PhSvcTimeoutCancelEventHandle, NULL);
}
}
NTSTATUS PhpGetMappedArchiveMemberFromHeader(
_In_ PPH_MAPPED_ARCHIVE MappedArchive,
_In_ PIMAGE_ARCHIVE_MEMBER_HEADER Header,
_Out_ PPH_MAPPED_ARCHIVE_MEMBER Member
)
{
WCHAR integerString[11];
ULONG64 size;
PH_STRINGREF string;
PWSTR digit;
PSTR slash;
if ((ULONG_PTR)Header >= (ULONG_PTR)MappedArchive->ViewBase + MappedArchive->Size)
return STATUS_NO_MORE_ENTRIES;
__try
{
PhpMappedArchiveProbe(MappedArchive, Header, sizeof(IMAGE_ARCHIVE_MEMBER_HEADER));
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return GetExceptionCode();
}
Member->MappedArchive = MappedArchive;
Member->Header = Header;
Member->Data = PTR_ADD_OFFSET(Header, sizeof(IMAGE_ARCHIVE_MEMBER_HEADER));
Member->Type = NormalArchiveMemberType;
// Read the size string, terminate it after the last digit and parse it.
if (!PhCopyStringZFromBytes(Header->Size, 10, integerString, 11, NULL))
return STATUS_INVALID_PARAMETER;
string.Buffer = integerString;
string.Length = 0;
digit = string.Buffer;
while (iswdigit(*digit++))
string.Length += sizeof(WCHAR);
if (!PhStringToInteger64(&string, 10, &size))
return STATUS_INVALID_PARAMETER;
Member->Size = (ULONG)size;
__try
{
PhpMappedArchiveProbe(MappedArchive, Member->Data, Member->Size);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return GetExceptionCode();
}
// Parse the name.
if (!PhCopyBytesZ(Header->Name, 16, Member->NameBuffer, 20, NULL))
return STATUS_INVALID_PARAMETER;
Member->Name = Member->NameBuffer;
slash = strchr(Member->NameBuffer, '/');
if (!slash)
return STATUS_INVALID_PARAMETER;
// Special names:
// * If the slash is the first character, then this is a linker member.
// * If there is a slash after the slash which is a first character, then this is the longnames
// member.
// * If there are digits after the slash, then the real name is stored in the longnames member.
if (slash == Member->NameBuffer)
{
if (Member->NameBuffer[1] == '/')
{
// Longnames member. Set the name to "/".
Member->NameBuffer[0] = '/';
Member->NameBuffer[1] = 0;
Member->Type = LongnamesArchiveMemberType;
}
else
{
// Linker member. Set the name to "".
Member->NameBuffer[0] = 0;
Member->Type = LinkerArchiveMemberType;
}
}
else
{
if (isdigit(slash[1]))
{
PSTR digita;
ULONG64 offset64;
ULONG offset;
// The name is stored in the longnames member.
// Note: we make sure we have the longnames member first.
if (!MappedArchive->LongnamesMember.Header)
return STATUS_INVALID_PARAMETER;
// Find the last digit and null terminate the string there.
digita = slash + 2;
while (isdigit(*digita))
digita++;
*digita = 0;
// Parse the offset and make sure it lies within the longnames member.
if (!PhCopyStringZFromBytes(slash + 1, -1, integerString, 11, NULL))
return STATUS_INVALID_PARAMETER;
PhInitializeStringRefLongHint(&string, integerString);
if (!PhStringToInteger64(&string, 10, &offset64))
return STATUS_INVALID_PARAMETER;
offset = (ULONG)offset64;
if (offset >= MappedArchive->LongnamesMember.Size)
return STATUS_INVALID_PARAMETER;
// TODO: Probe the name.
Member->Name = (PSTR)PTR_ADD_OFFSET(MappedArchive->LongnamesMember.Data, offset);
}
else
{
// Null terminate the string.
slash[0] = 0;
}
}
return STATUS_SUCCESS;
}
NTSTATUS PhInitializeMappedImage(
_Out_ PPH_MAPPED_IMAGE MappedImage,
_In_ PVOID ViewBase,
_In_ SIZE_T Size
)
{
PIMAGE_DOS_HEADER dosHeader;
ULONG ntHeadersOffset;
MappedImage->ViewBase = ViewBase;
MappedImage->Size = Size;
dosHeader = (PIMAGE_DOS_HEADER)ViewBase;
__try
{
PhpMappedImageProbe(MappedImage, dosHeader, sizeof(IMAGE_DOS_HEADER));
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return GetExceptionCode();
}
// Check the initial MZ.
if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
return STATUS_INVALID_IMAGE_NOT_MZ;
// Get a pointer to the NT headers and probe it.
ntHeadersOffset = (ULONG)dosHeader->e_lfanew;
if (ntHeadersOffset == 0)
return STATUS_INVALID_IMAGE_FORMAT;
if (ntHeadersOffset >= 0x10000000 || ntHeadersOffset >= Size)
return STATUS_INVALID_IMAGE_FORMAT;
MappedImage->NtHeaders = (PIMAGE_NT_HEADERS)PTR_ADD_OFFSET(ViewBase, ntHeadersOffset);
__try
{
PhpMappedImageProbe(
MappedImage,
MappedImage->NtHeaders,
FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader)
);
PhpMappedImageProbe(
MappedImage,
MappedImage->NtHeaders,
FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) +
MappedImage->NtHeaders->FileHeader.SizeOfOptionalHeader +
MappedImage->NtHeaders->FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER)
);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return GetExceptionCode();
}
// Check the signature and verify the magic.
if (MappedImage->NtHeaders->Signature != IMAGE_NT_SIGNATURE)
return STATUS_INVALID_IMAGE_FORMAT;
MappedImage->Magic = MappedImage->NtHeaders->OptionalHeader.Magic;
if (
MappedImage->Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC &&
MappedImage->Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC
)
return STATUS_INVALID_IMAGE_FORMAT;
// Get a pointer to the first section.
MappedImage->NumberOfSections = MappedImage->NtHeaders->FileHeader.NumberOfSections;
MappedImage->Sections = (PIMAGE_SECTION_HEADER)(
((PCHAR)&MappedImage->NtHeaders->OptionalHeader) +
MappedImage->NtHeaders->FileHeader.SizeOfOptionalHeader
);
return STATUS_SUCCESS;
}
BOOLEAN EtpRefreshUnloadedDlls(
__in HWND hwndDlg,
__in PUNLOADED_DLLS_CONTEXT Context
)
{
NTSTATUS status;
PULONG elementSize;
PULONG elementCount;
PVOID eventTrace;
HANDLE processHandle = NULL;
ULONG eventTraceSize;
ULONG capturedElementSize;
ULONG capturedElementCount;
PVOID capturedEventTracePointer;
PVOID capturedEventTrace = NULL;
ULONG i;
PVOID currentEvent;
HWND lvHandle;
lvHandle = GetDlgItem(hwndDlg, IDC_LIST);
ListView_DeleteAllItems(lvHandle);
RtlGetUnloadEventTraceEx(&elementSize, &elementCount, &eventTrace);
if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_VM_READ, Context->ProcessItem->ProcessId)))
goto CleanupExit;
// We have the pointers for the unload event trace information.
// Since ntdll is loaded at the same base address across all processes,
// we can read the information in.
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
elementSize,
&capturedElementSize,
sizeof(ULONG),
NULL
)))
goto CleanupExit;
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
elementCount,
&capturedElementCount,
sizeof(ULONG),
NULL
)))
goto CleanupExit;
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
eventTrace,
&capturedEventTracePointer,
sizeof(PVOID),
NULL
)))
goto CleanupExit;
if (!capturedEventTracePointer)
goto CleanupExit; // no events
if (capturedElementCount > 0x4000)
capturedElementCount = 0x4000;
eventTraceSize = capturedElementSize * capturedElementCount;
capturedEventTrace = PhAllocateSafe(eventTraceSize);
if (!capturedEventTrace)
{
status = STATUS_NO_MEMORY;
goto CleanupExit;
}
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
capturedEventTracePointer,
capturedEventTrace,
eventTraceSize,
NULL
)))
goto CleanupExit;
currentEvent = capturedEventTrace;
ExtendedListView_SetRedraw(lvHandle, FALSE);
for (i = 0; i < capturedElementCount; i++)
{
PRTL_UNLOAD_EVENT_TRACE rtlEvent = currentEvent;
INT lvItemIndex;
WCHAR buffer[128];
PPH_STRING string;
LARGE_INTEGER time;
SYSTEMTIME systemTime;
if (!rtlEvent->BaseAddress)
break;
PhPrintUInt32(buffer, rtlEvent->Sequence);
lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, buffer, rtlEvent);
// Name
if (PhCopyUnicodeStringZ(rtlEvent->ImageName, sizeof(rtlEvent->ImageName) / sizeof(WCHAR),
buffer, sizeof(buffer) / sizeof(WCHAR), NULL))
{
PhSetListViewSubItem(lvHandle, lvItemIndex, 1, buffer);
}
// Base Address
PhPrintPointer(buffer, rtlEvent->BaseAddress);
PhSetListViewSubItem(lvHandle, lvItemIndex, 2, buffer);
// Size
string = PhFormatSize(rtlEvent->SizeOfImage, -1);
PhSetListViewSubItem(lvHandle, lvItemIndex, 3, string->Buffer);
PhDereferenceObject(string);
// Time Stamp
RtlSecondsSince1970ToTime(rtlEvent->TimeDateStamp, &time);
PhLargeIntegerToLocalSystemTime(&systemTime, &time);
string = PhFormatDateTime(&systemTime);
PhSetListViewSubItem(lvHandle, lvItemIndex, 4, string->Buffer);
PhDereferenceObject(string);
// Checksum
PhPrintPointer(buffer, UlongToPtr(rtlEvent->CheckSum));
PhSetListViewSubItem(lvHandle, lvItemIndex, 5, buffer);
currentEvent = PTR_ADD_OFFSET(currentEvent, capturedElementSize);
}
ExtendedListView_SortItems(lvHandle);
ExtendedListView_SetRedraw(lvHandle, TRUE);
if (Context->CapturedEventTrace)
PhFree(Context->CapturedEventTrace);
Context->CapturedEventTrace = capturedEventTrace;
CleanupExit:
if (processHandle)
NtClose(processHandle);
if (NT_SUCCESS(status))
{
return TRUE;
}
else
{
PhShowStatus(hwndDlg, L"Unable to retrieve unload event trace information", status, 0);
return FALSE;
}
}
NTSTATUS PhInitializeMappedArchive(
_Out_ PPH_MAPPED_ARCHIVE MappedArchive,
_In_ PVOID ViewBase,
_In_ SIZE_T Size
)
{
NTSTATUS status;
PVOID start;
start = ViewBase;
memset(MappedArchive, 0, sizeof(PH_MAPPED_ARCHIVE));
MappedArchive->ViewBase = ViewBase;
MappedArchive->Size = Size;
__try
{
// Verify the file signature.
PhpMappedArchiveProbe(MappedArchive, start, IMAGE_ARCHIVE_START_SIZE);
if (memcmp(start, IMAGE_ARCHIVE_START, IMAGE_ARCHIVE_START_SIZE) != 0)
PhRaiseStatus(STATUS_INVALID_IMAGE_FORMAT);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return GetExceptionCode();
}
// Get the members.
// Note: the names are checked.
// First linker member
status = PhpGetMappedArchiveMemberFromHeader(
MappedArchive,
PTR_ADD_OFFSET(start, IMAGE_ARCHIVE_START_SIZE),
&MappedArchive->FirstLinkerMember
);
if (!NT_SUCCESS(status))
return status;
if (MappedArchive->FirstLinkerMember.Type != LinkerArchiveMemberType)
return STATUS_INVALID_PARAMETER;
MappedArchive->FirstStandardMember = &MappedArchive->FirstLinkerMember;
// Second linker member
status = PhGetNextMappedArchiveMember(
&MappedArchive->FirstLinkerMember,
&MappedArchive->SecondLinkerMember
);
if (!NT_SUCCESS(status))
return status;
if (
MappedArchive->SecondLinkerMember.Type != LinkerArchiveMemberType &&
MappedArchive->SecondLinkerMember.Type != NormalArchiveMemberType // NormalArchiveMemberType might not be correct here but set by LLVM compiled libs (dmex)
)
return STATUS_INVALID_PARAMETER;
// Longnames member
// This member doesn't seem to be mandatory, contrary to the specification.
// So we'll check if it's actually a longnames member, and if not, ignore it.
status = PhGetNextMappedArchiveMember(
&MappedArchive->SecondLinkerMember,
&MappedArchive->LongnamesMember
);
if (
NT_SUCCESS(status) &&
MappedArchive->LongnamesMember.Type == LongnamesArchiveMemberType
)
{
MappedArchive->HasLongnamesMember = TRUE;
MappedArchive->LastStandardMember = &MappedArchive->LongnamesMember;
}
else
{
MappedArchive->LastStandardMember = &MappedArchive->SecondLinkerMember;
}
return STATUS_SUCCESS;
}
BOOL
PeGetProcAddressByName(HANDLE ProcessHandle,
BOOL AsX86,
LPVOID *ProcAddress,
LPVOID ModuleBase,
LPCSTR ProcName)
{
DWORD numOfFunctions;
DWORD numOfNames;
DWORD numOfOrdinals;
DWORD *addressTable;
DWORD *nameTable;
WORD *ordinalTable;
LPVOID nameBase;
LPVOID addressBase = NULL;
CHAR functionName[MAX_EXPORT_SYMBOL_NAME_LENGTH];
WORD addressPosition;
BOOL found;
if (!ModuleBase || !ProcName)
{
return FALSE;
}
if (!PeReadExportTable(ProcessHandle,
AsX86,
ModuleBase,
&numOfFunctions,
&numOfNames,
&numOfOrdinals,
&addressTable,
&nameTable,
&ordinalTable))
{
return FALSE;
}
found = FALSE;
for (DWORD i = 0; i < numOfFunctions; ++i)
{
nameBase = PTR_ADD_OFFSET(ModuleBase,
nameTable[i]);
if (!ReadProcessMemory(ProcessHandle,
nameBase, functionName,
sizeof(functionName),
NULL))
{
break;
}
addressPosition = ordinalTable[i];
if (!addressPosition)
continue;
addressBase = PTR_ADD_OFFSET(ModuleBase,
addressTable[addressPosition]);
functionName[0xFF] = '\0';
if (strcmp(functionName, ProcName) == 0)
{
found = TRUE;
break;
}
}
PeFreeExportTable(addressTable,
nameTable,
ordinalTable);
if (found)
{
*ProcAddress = addressBase;
}
return found;
}
NTSTATUS PhSvcApiPortInitialization(
_In_ PUNICODE_STRING PortName
)
{
static SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
PSECURITY_DESCRIPTOR securityDescriptor;
ULONG sdAllocationLength;
UCHAR administratorsSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG) * 2];
PSID administratorsSid;
PACL dacl;
ULONG i;
// Create the API port.
administratorsSid = (PSID)administratorsSidBuffer;
RtlInitializeSid(administratorsSid, &ntAuthority, 2);
*RtlSubAuthoritySid(administratorsSid, 0) = SECURITY_BUILTIN_DOMAIN_RID;
*RtlSubAuthoritySid(administratorsSid, 1) = DOMAIN_ALIAS_RID_ADMINS;
sdAllocationLength = SECURITY_DESCRIPTOR_MIN_LENGTH +
(ULONG)sizeof(ACL) +
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
RtlLengthSid(administratorsSid) +
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
RtlLengthSid(&PhSeEveryoneSid);
securityDescriptor = PhAllocate(sdAllocationLength);
dacl = (PACL)PTR_ADD_OFFSET(securityDescriptor, SECURITY_DESCRIPTOR_MIN_LENGTH);
RtlCreateSecurityDescriptor(securityDescriptor, SECURITY_DESCRIPTOR_REVISION);
RtlCreateAcl(dacl, sdAllocationLength - SECURITY_DESCRIPTOR_MIN_LENGTH, ACL_REVISION);
RtlAddAccessAllowedAce(dacl, ACL_REVISION, PORT_ALL_ACCESS, administratorsSid);
RtlAddAccessAllowedAce(dacl, ACL_REVISION, PORT_CONNECT, &PhSeEveryoneSid);
RtlSetDaclSecurityDescriptor(securityDescriptor, TRUE, dacl, FALSE);
InitializeObjectAttributes(
&objectAttributes,
PortName,
OBJ_CASE_INSENSITIVE,
NULL,
securityDescriptor
);
status = NtCreatePort(
&PhSvcApiPortHandle,
&objectAttributes,
sizeof(PHSVC_API_CONNECTINFO),
PhIsExecutingInWow64() ? sizeof(PHSVC_API_MSG64) : sizeof(PHSVC_API_MSG),
0
);
PhFree(securityDescriptor);
if (!NT_SUCCESS(status))
return status;
// Start the API threads.
PhSvcApiThreadContextTlsIndex = TlsAlloc();
for (i = 0; i < 2; i++)
{
PhCreateThread2(PhSvcApiRequestThreadStart, NULL);
}
return status;
}
/**
* Gets access entries for an object type.
*
* \param Type The name of the object type.
* \param AccessEntries A variable which receives an array of access entry structures. You must free
* the buffer with PhFree() when you no longer need it.
* \param NumberOfAccessEntries A variable which receives the number of access entry structures
* returned in
* \a AccessEntries.
*/
BOOLEAN PhGetAccessEntries(
_In_ PWSTR Type,
_Out_ PPH_ACCESS_ENTRY *AccessEntries,
_Out_ PULONG NumberOfAccessEntries
)
{
ULONG i;
PPH_SPECIFIC_TYPE specificType = NULL;
PPH_ACCESS_ENTRY accessEntries;
if (PhEqualStringZ(Type, L"ALPC Port", TRUE))
{
Type = L"AlpcPort";
}
else if (PhEqualStringZ(Type, L"Port", TRUE))
{
Type = L"AlpcPort";
}
else if (PhEqualStringZ(Type, L"WaitablePort", TRUE))
{
Type = L"AlpcPort";
}
else if (PhEqualStringZ(Type, L"Process", TRUE))
{
if (WindowsVersion >= WINDOWS_VISTA)
Type = L"Process60";
}
else if (PhEqualStringZ(Type, L"Thread", TRUE))
{
if (WindowsVersion >= WINDOWS_VISTA)
Type = L"Thread60";
}
// Find the specific type.
for (i = 0; i < sizeof(PhSpecificTypes) / sizeof(PH_SPECIFIC_TYPE); i++)
{
if (PhEqualStringZ(PhSpecificTypes[i].Type, Type, TRUE))
{
specificType = &PhSpecificTypes[i];
break;
}
}
if (specificType)
{
ULONG sizeOfEntries;
// Copy the specific access entries and append the standard access entries.
if (specificType->HasSynchronize)
sizeOfEntries = specificType->SizeOfAccessEntries + sizeof(PhStandardAccessEntries);
else
sizeOfEntries = specificType->SizeOfAccessEntries + sizeof(PhStandardAccessEntries) - sizeof(PH_ACCESS_ENTRY);
accessEntries = PhAllocate(sizeOfEntries);
memcpy(accessEntries, specificType->AccessEntries, specificType->SizeOfAccessEntries);
if (specificType->HasSynchronize)
{
memcpy(
PTR_ADD_OFFSET(accessEntries, specificType->SizeOfAccessEntries),
PhStandardAccessEntries,
sizeof(PhStandardAccessEntries)
);
}
else
{
memcpy(
PTR_ADD_OFFSET(accessEntries, specificType->SizeOfAccessEntries),
&PhStandardAccessEntries[1],
sizeof(PhStandardAccessEntries) - sizeof(PH_ACCESS_ENTRY)
);
}
*AccessEntries = accessEntries;
*NumberOfAccessEntries = sizeOfEntries / sizeof(PH_ACCESS_ENTRY);
}
else
{
accessEntries = PhAllocate(sizeof(PhStandardAccessEntries));
memcpy(accessEntries, PhStandardAccessEntries, sizeof(PhStandardAccessEntries));
*AccessEntries = accessEntries;
*NumberOfAccessEntries = sizeof(PhStandardAccessEntries) / sizeof(PH_ACCESS_ENTRY);
}
return TRUE;
}
/**
* Determines the OS compatibility context of a process.
*
* \param ProcessHandle A handle to a process.
* \param Guid A variable which receives a GUID identifying an
* operating system version.
*/
NTSTATUS PhGetProcessSwitchContext(
__in HANDLE ProcessHandle,
__out PGUID Guid
)
{
NTSTATUS status;
PROCESS_BASIC_INFORMATION basicInfo;
#ifdef _M_X64
PVOID peb32;
ULONG contextData32;
#endif
PVOID contextData;
// Reverse-engineered from WdcGetProcessSwitchContext (wdc.dll).
#ifdef _M_X64
if (NT_SUCCESS(PhGetProcessPeb32(ProcessHandle, &peb32)) && peb32)
{
if (!NT_SUCCESS(status = PhReadVirtualMemory(
ProcessHandle,
PTR_ADD_OFFSET(peb32, FIELD_OFFSET(PEB32, pContextData)),
&contextData32,
sizeof(ULONG),
NULL
)))
return status;
contextData = UlongToPtr(contextData32);
}
else
{
#endif
if (!NT_SUCCESS(status = PhGetProcessBasicInformation(ProcessHandle, &basicInfo)))
return status;
if (!NT_SUCCESS(status = PhReadVirtualMemory(
ProcessHandle,
PTR_ADD_OFFSET(basicInfo.PebBaseAddress, FIELD_OFFSET(PEB, pContextData)),
&contextData,
sizeof(PVOID),
NULL
)))
return status;
#ifdef _M_X64
}
#endif
if (!contextData)
return STATUS_UNSUCCESSFUL; // no compatibility context data
if (!NT_SUCCESS(status = PhReadVirtualMemory(
ProcessHandle,
PTR_ADD_OFFSET(contextData, 32), // Magic value from WdcGetProcessSwitchContext
Guid,
sizeof(GUID),
NULL
)))
return status;
return STATUS_SUCCESS;
}
INT_PTR CALLBACK PhpProcessMemoryDlgProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
LPPROPSHEETPAGE propSheetPage;
PPH_PROCESS_PROPPAGECONTEXT propPageContext;
PPH_PROCESS_ITEM processItem;
PPH_MEMORY_CONTEXT memoryContext;
HWND tnHandle;
if (PhpPropPageDlgProcHeader(hwndDlg, uMsg, lParam,
&propSheetPage, &propPageContext, &processItem))
{
memoryContext = (PPH_MEMORY_CONTEXT)propPageContext->Context;
if (memoryContext)
tnHandle = memoryContext->ListContext.TreeNewHandle;
}
else
{
return FALSE;
}
switch (uMsg)
{
case WM_INITDIALOG:
{
memoryContext = propPageContext->Context =
PhAllocate(PhEmGetObjectSize(EmMemoryContextType, sizeof(PH_MEMORY_CONTEXT)));
memset(memoryContext, 0, sizeof(PH_MEMORY_CONTEXT));
memoryContext->ProcessId = processItem->ProcessId;
// Initialize the list.
tnHandle = GetDlgItem(hwndDlg, IDC_LIST);
BringWindowToTop(tnHandle);
PhInitializeMemoryList(hwndDlg, tnHandle, &memoryContext->ListContext);
TreeNew_SetEmptyText(tnHandle, &PhpLoadingText, 0);
memoryContext->LastRunStatus = -1;
memoryContext->ErrorMessage = NULL;
PhEmCallObjectOperation(EmMemoryContextType, memoryContext, EmObjectCreate);
if (PhPluginsEnabled)
{
PH_PLUGIN_TREENEW_INFORMATION treeNewInfo;
treeNewInfo.TreeNewHandle = tnHandle;
treeNewInfo.CmData = &memoryContext->ListContext.Cm;
treeNewInfo.SystemContext = memoryContext;
PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMemoryTreeNewInitializing), &treeNewInfo);
}
PhLoadSettingsMemoryList(&memoryContext->ListContext);
PhSetOptionsMemoryList(&memoryContext->ListContext, TRUE);
Button_SetCheck(GetDlgItem(hwndDlg, IDC_HIDEFREEREGIONS),
memoryContext->ListContext.HideFreeRegions ? BST_CHECKED : BST_UNCHECKED);
PhpRefreshProcessMemoryList(hwndDlg, propPageContext);
}
break;
case WM_DESTROY:
{
PhEmCallObjectOperation(EmMemoryContextType, memoryContext, EmObjectDelete);
if (PhPluginsEnabled)
{
PH_PLUGIN_TREENEW_INFORMATION treeNewInfo;
treeNewInfo.TreeNewHandle = tnHandle;
treeNewInfo.CmData = &memoryContext->ListContext.Cm;
PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMemoryTreeNewUninitializing), &treeNewInfo);
}
PhSaveSettingsMemoryList(&memoryContext->ListContext);
PhDeleteMemoryList(&memoryContext->ListContext);
if (memoryContext->MemoryItemListValid)
PhDeleteMemoryItemList(&memoryContext->MemoryItemList);
PhClearReference(&memoryContext->ErrorMessage);
PhFree(memoryContext);
PhpPropPageDlgProcDestroy(hwndDlg);
}
break;
case WM_SHOWWINDOW:
{
if (!propPageContext->LayoutInitialized)
{
PPH_LAYOUT_ITEM dialogItem;
dialogItem = PhAddPropPageLayoutItem(hwndDlg, hwndDlg,
PH_PROP_PAGE_TAB_CONTROL_PARENT, PH_ANCHOR_ALL);
PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_STRINGS),
dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT);
PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_REFRESH),
dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT);
PhAddPropPageLayoutItem(hwndDlg, memoryContext->ListContext.TreeNewHandle,
dialogItem, PH_ANCHOR_ALL);
PhDoPropPageLayout(hwndDlg);
propPageContext->LayoutInitialized = TRUE;
}
}
break;
case WM_COMMAND:
{
switch (LOWORD(wParam))
{
case ID_SHOWCONTEXTMENU:
{
PhShowMemoryContextMenu(hwndDlg, processItem, memoryContext, (PPH_TREENEW_CONTEXT_MENU)lParam);
}
break;
case ID_MEMORY_READWRITEMEMORY:
{
PPH_MEMORY_NODE memoryNode = PhGetSelectedMemoryNode(&memoryContext->ListContext);
if (memoryNode && !memoryNode->IsAllocationBase)
{
if (memoryNode->MemoryItem->State & MEM_COMMIT)
{
PPH_SHOWMEMORYEDITOR showMemoryEditor = PhAllocate(sizeof(PH_SHOWMEMORYEDITOR));
memset(showMemoryEditor, 0, sizeof(PH_SHOWMEMORYEDITOR));
showMemoryEditor->ProcessId = processItem->ProcessId;
showMemoryEditor->BaseAddress = memoryNode->MemoryItem->BaseAddress;
showMemoryEditor->RegionSize = memoryNode->MemoryItem->RegionSize;
showMemoryEditor->SelectOffset = -1;
showMemoryEditor->SelectLength = 0;
ProcessHacker_ShowMemoryEditor(PhMainWndHandle, showMemoryEditor);
}
else
{
PhShowError(hwndDlg, L"Unable to edit the memory region because it is not committed.");
}
}
}
break;
case ID_MEMORY_SAVE:
{
NTSTATUS status;
HANDLE processHandle;
PPH_MEMORY_NODE *memoryNodes;
ULONG numberOfMemoryNodes;
if (!NT_SUCCESS(status = PhOpenProcess(
&processHandle,
PROCESS_VM_READ,
processItem->ProcessId
)))
{
PhShowStatus(hwndDlg, L"Unable to open the process", status, 0);
break;
}
PhGetSelectedMemoryNodes(&memoryContext->ListContext, &memoryNodes, &numberOfMemoryNodes);
if (numberOfMemoryNodes != 0)
{
static PH_FILETYPE_FILTER filters[] =
{
{ L"Binary files (*.bin)", L"*.bin" },
{ L"All files (*.*)", L"*.*" }
};
PVOID fileDialog;
fileDialog = PhCreateSaveFileDialog();
PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER));
PhSetFileDialogFileName(fileDialog, PhaConcatStrings2(processItem->ProcessName->Buffer, L".bin")->Buffer);
if (PhShowFileDialog(hwndDlg, fileDialog))
{
PPH_STRING fileName;
PPH_FILE_STREAM fileStream;
PVOID buffer;
ULONG i;
ULONG_PTR offset;
fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog));
if (NT_SUCCESS(status = PhCreateFileStream(
&fileStream,
fileName->Buffer,
FILE_GENERIC_WRITE,
FILE_SHARE_READ,
FILE_OVERWRITE_IF,
0
)))
{
buffer = PhAllocatePage(PAGE_SIZE, NULL);
// Go through each selected memory item and append the region contents
// to the file.
for (i = 0; i < numberOfMemoryNodes; i++)
{
PPH_MEMORY_NODE memoryNode = memoryNodes[i];
PPH_MEMORY_ITEM memoryItem = memoryNode->MemoryItem;
if (!memoryNode->IsAllocationBase && !(memoryItem->State & MEM_COMMIT))
continue;
for (offset = 0; offset < memoryItem->RegionSize; offset += PAGE_SIZE)
{
if (NT_SUCCESS(NtReadVirtualMemory(
processHandle,
PTR_ADD_OFFSET(memoryItem->BaseAddress, offset),
buffer,
PAGE_SIZE,
NULL
)))
{
PhWriteFileStream(fileStream, buffer, PAGE_SIZE);
}
}
}
PhFreePage(buffer);
PhDereferenceObject(fileStream);
}
if (!NT_SUCCESS(status))
PhShowStatus(hwndDlg, L"Unable to create the file", status, 0);
}
PhFreeFileDialog(fileDialog);
}
PhFree(memoryNodes);
NtClose(processHandle);
}
break;
case ID_MEMORY_CHANGEPROTECTION:
{
PPH_MEMORY_NODE memoryNode = PhGetSelectedMemoryNode(&memoryContext->ListContext);
if (memoryNode)
{
PhReferenceObject(memoryNode->MemoryItem);
PhShowMemoryProtectDialog(hwndDlg, processItem, memoryNode->MemoryItem);
PhUpdateMemoryNode(&memoryContext->ListContext, memoryNode);
PhDereferenceObject(memoryNode->MemoryItem);
}
}
break;
case ID_MEMORY_FREE:
{
PPH_MEMORY_NODE memoryNode = PhGetSelectedMemoryNode(&memoryContext->ListContext);
if (memoryNode)
{
PhReferenceObject(memoryNode->MemoryItem);
PhUiFreeMemory(hwndDlg, processItem->ProcessId, memoryNode->MemoryItem, TRUE);
PhDereferenceObject(memoryNode->MemoryItem);
// TODO: somehow update the list
}
}
break;
case ID_MEMORY_DECOMMIT:
{
PPH_MEMORY_NODE memoryNode = PhGetSelectedMemoryNode(&memoryContext->ListContext);
if (memoryNode)
{
PhReferenceObject(memoryNode->MemoryItem);
PhUiFreeMemory(hwndDlg, processItem->ProcessId, memoryNode->MemoryItem, FALSE);
PhDereferenceObject(memoryNode->MemoryItem);
}
}
break;
case ID_MEMORY_READWRITEADDRESS:
{
PPH_STRING selectedChoice = NULL;
if (!memoryContext->MemoryItemListValid)
break;
while (PhaChoiceDialog(
hwndDlg,
L"Read/Write Address",
L"Enter an address:",
NULL,
0,
NULL,
PH_CHOICE_DIALOG_USER_CHOICE,
&selectedChoice,
NULL,
L"MemoryReadWriteAddressChoices"
))
{
ULONG64 address64;
PVOID address;
if (selectedChoice->Length == 0)
continue;
if (PhStringToInteger64(&selectedChoice->sr, 0, &address64))
{
PPH_MEMORY_ITEM memoryItem;
address = (PVOID)address64;
memoryItem = PhLookupMemoryItemList(&memoryContext->MemoryItemList, address);
if (memoryItem)
{
PPH_SHOWMEMORYEDITOR showMemoryEditor = PhAllocate(sizeof(PH_SHOWMEMORYEDITOR));
memset(showMemoryEditor, 0, sizeof(PH_SHOWMEMORYEDITOR));
showMemoryEditor->ProcessId = processItem->ProcessId;
showMemoryEditor->BaseAddress = memoryItem->BaseAddress;
showMemoryEditor->RegionSize = memoryItem->RegionSize;
showMemoryEditor->SelectOffset = (ULONG)((ULONG_PTR)address - (ULONG_PTR)memoryItem->BaseAddress);
showMemoryEditor->SelectLength = 0;
ProcessHacker_ShowMemoryEditor(PhMainWndHandle, showMemoryEditor);
break;
}
else
{
PhShowError(hwndDlg, L"Unable to find the memory region for the selected address.");
}
}
}
}
break;
case ID_MEMORY_COPY:
{
PPH_STRING text;
text = PhGetTreeNewText(tnHandle, 0);
PhSetClipboardString(tnHandle, &text->sr);
PhDereferenceObject(text);
}
break;
case IDC_HIDEFREEREGIONS:
{
BOOLEAN hide;
hide = Button_GetCheck(GetDlgItem(hwndDlg, IDC_HIDEFREEREGIONS)) == BST_CHECKED;
PhSetOptionsMemoryList(&memoryContext->ListContext, hide);
}
break;
case IDC_STRINGS:
PhShowMemoryStringDialog(hwndDlg, processItem);
break;
case IDC_REFRESH:
PhpRefreshProcessMemoryList(hwndDlg, propPageContext);
break;
}
}
break;
}
return FALSE;
}
static NTSTATUS NTAPI TerminatorM1(
_In_ HANDLE ProcessId
)
{
NTSTATUS status;
HANDLE processHandle;
if (NT_SUCCESS(status = PhOpenProcess(
&processHandle,
PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE,
ProcessId
)))
{
PVOID pageOfGarbage;
SIZE_T pageSize;
PVOID baseAddress;
MEMORY_BASIC_INFORMATION basicInfo;
pageOfGarbage = NULL;
pageSize = PAGE_SIZE;
if (!NT_SUCCESS(NtAllocateVirtualMemory(
NtCurrentProcess(),
&pageOfGarbage,
0,
&pageSize,
MEM_COMMIT,
PAGE_READONLY
)))
{
NtClose(processHandle);
return STATUS_NO_MEMORY;
}
baseAddress = (PVOID)0;
while (NT_SUCCESS(NtQueryVirtualMemory(
processHandle,
baseAddress,
MemoryBasicInformation,
&basicInfo,
sizeof(MEMORY_BASIC_INFORMATION),
NULL
)))
{
ULONG i;
// Make sure we don't write to views of mapped files. That
// could possibly corrupt files!
if (basicInfo.Type == MEM_PRIVATE)
{
for (i = 0; i < basicInfo.RegionSize; i += PAGE_SIZE)
{
PhWriteVirtualMemory(
processHandle,
PTR_ADD_OFFSET(baseAddress, i),
pageOfGarbage,
PAGE_SIZE,
NULL
);
}
}
baseAddress = PTR_ADD_OFFSET(baseAddress, basicInfo.RegionSize);
}
// Size needs to be zero if we're freeing.
pageSize = 0;
NtFreeVirtualMemory(
NtCurrentProcess(),
&pageOfGarbage,
&pageSize,
MEM_RELEASE
);
NtClose(processHandle);
}
return status;
}