static NTSTATUS PhpRefreshThreadStackThreadStart( _In_ PVOID Parameter ) { PH_AUTO_POOL autoPool; NTSTATUS status; PTHREAD_STACK_CONTEXT threadStackContext = Parameter; CLIENT_ID clientId; BOOLEAN defaultWalk; PhInitializeAutoPool(&autoPool); PhLoadSymbolsThreadProvider(threadStackContext->ThreadProvider); clientId.UniqueProcess = threadStackContext->ProcessId; clientId.UniqueThread = threadStackContext->ThreadId; defaultWalk = TRUE; if (threadStackContext->CustomWalk) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.Type = PluginThreadStackWalkStack; control.UniqueKey = threadStackContext; control.u.WalkStack.Status = STATUS_UNSUCCESSFUL; control.u.WalkStack.ThreadHandle = threadStackContext->ThreadHandle; control.u.WalkStack.ProcessHandle = threadStackContext->SymbolProvider->ProcessHandle; control.u.WalkStack.ClientId = &clientId; control.u.WalkStack.Flags = PH_WALK_I386_STACK | PH_WALK_AMD64_STACK | PH_WALK_KERNEL_STACK; control.u.WalkStack.Callback = PhpWalkThreadStackCallback; control.u.WalkStack.CallbackContext = threadStackContext; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); status = control.u.WalkStack.Status; if (NT_SUCCESS(status)) defaultWalk = FALSE; } if (defaultWalk) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.UniqueKey = threadStackContext; if (PhPluginsEnabled) { control.Type = PluginThreadStackBeginDefaultWalkStack; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); } status = PhWalkThreadStack( threadStackContext->ThreadHandle, threadStackContext->SymbolProvider->ProcessHandle, &clientId, threadStackContext->SymbolProvider, PH_WALK_I386_STACK | PH_WALK_AMD64_STACK | PH_WALK_KERNEL_STACK, PhpWalkThreadStackCallback, threadStackContext ); if (PhPluginsEnabled) { control.Type = PluginThreadStackEndDefaultWalkStack; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); } } if (threadStackContext->NewList->Count != 0) status = STATUS_SUCCESS; threadStackContext->WalkStatus = status; PostMessage(threadStackContext->ProgressWindowHandle, WM_PH_COMPLETED, 0, 0); PhDeleteAutoPool(&autoPool); return STATUS_SUCCESS; }
NTSTATUS PhpThreadQueryWorker( _In_ PVOID Parameter ) { PPH_THREAD_QUERY_DATA data = (PPH_THREAD_QUERY_DATA)Parameter; LONG newSymbolsLoading; if (data->ThreadProvider->Terminating) goto Done; newSymbolsLoading = _InterlockedIncrement(&data->ThreadProvider->SymbolsLoading); if (newSymbolsLoading == 1) PhInvokeCallback(&data->ThreadProvider->LoadingStateChangedEvent, (PVOID)TRUE); if (data->ThreadProvider->SymbolsLoadedRunId == 0) PhLoadSymbolsThreadProvider(data->ThreadProvider); data->StartAddressString = PhGetSymbolFromAddress( data->ThreadProvider->SymbolProvider, data->ThreadItem->StartAddress, &data->StartAddressResolveLevel, &data->ThreadItem->StartAddressFileName, NULL, NULL ); if (data->StartAddressResolveLevel == PhsrlAddress && data->ThreadProvider->SymbolsLoadedRunId < data->RunId) { // The process may have loaded new modules, so load symbols for those and try again. PhLoadSymbolsThreadProvider(data->ThreadProvider); PhClearReference(&data->StartAddressString); PhClearReference(&data->ThreadItem->StartAddressFileName); data->StartAddressString = PhGetSymbolFromAddress( data->ThreadProvider->SymbolProvider, data->ThreadItem->StartAddress, &data->StartAddressResolveLevel, &data->ThreadItem->StartAddressFileName, NULL, NULL ); } newSymbolsLoading = _InterlockedDecrement(&data->ThreadProvider->SymbolsLoading); if (newSymbolsLoading == 0) PhInvokeCallback(&data->ThreadProvider->LoadingStateChangedEvent, (PVOID)FALSE); // Check if the process has services - we'll need to know before getting service tag/name // information. if (WINDOWS_HAS_SERVICE_TAGS && !data->ThreadProvider->HasServicesKnown) { PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItem(data->ThreadProvider->ProcessId)) { data->ThreadProvider->HasServices = processItem->ServiceList && processItem->ServiceList->Count != 0; PhDereferenceObject(processItem); } data->ThreadProvider->HasServicesKnown = TRUE; } // Get the service tag, and the service name. if (WINDOWS_HAS_SERVICE_TAGS && data->ThreadProvider->SymbolProvider->IsRealHandle && data->ThreadItem->ThreadHandle) { PVOID serviceTag; if (NT_SUCCESS(PhGetThreadServiceTag( data->ThreadItem->ThreadHandle, data->ThreadProvider->ProcessHandle, &serviceTag ))) { data->ServiceName = PhGetServiceNameFromTag( data->ThreadProvider->ProcessId, serviceTag ); } } Done: RtlInterlockedPushEntrySList(&data->ThreadProvider->QueryListHead, &data->ListEntry); PhDereferenceObject(data->ThreadProvider); return STATUS_SUCCESS; }