NTSTATUS PhpThreadQueryWorker(
__in PVOID Parameter
)
{
PPH_THREAD_QUERY_DATA data = (PPH_THREAD_QUERY_DATA)Parameter;
LONG newSymbolsLoading;
newSymbolsLoading = _InterlockedIncrement(&data->ThreadProvider->SymbolsLoading);
if (newSymbolsLoading == 1)
PhInvokeCallback(&data->ThreadProvider->LoadingStateChangedEvent, (PVOID)TRUE);
// We can't resolve the start address until symbols have
// been loaded.
PhWaitForEvent(&data->ThreadProvider->SymbolsLoadedEvent, NULL);
data->StartAddressString = PhGetSymbolFromAddress(
data->ThreadProvider->SymbolProvider,
data->ThreadItem->StartAddress,
&data->StartAddressResolveLevel,
&data->ThreadItem->StartAddressFileName,
NULL,
NULL
);
newSymbolsLoading = _InterlockedDecrement(&data->ThreadProvider->SymbolsLoading);
if (newSymbolsLoading == 0)
PhInvokeCallback(&data->ThreadProvider->LoadingStateChangedEvent, (PVOID)FALSE);
// Get the service tag, and the service name.
if (
WINDOWS_HAS_SERVICE_TAGS &&
data->ThreadProvider->SymbolProvider->IsRealHandle &&
data->ThreadItem->ThreadHandle
)
{
PVOID serviceTag;
if (NT_SUCCESS(PhGetThreadServiceTag(
data->ThreadItem->ThreadHandle,
data->ThreadProvider->ProcessHandle,
&serviceTag
)))
{
data->ServiceName = PhGetServiceNameFromTag(
data->ThreadProvider->ProcessId,
serviceTag
);
}
}
RtlInterlockedPushEntrySList(&data->ThreadProvider->QueryListHead, &data->ListEntry);
PhDereferenceObject(data->ThreadProvider);
return STATUS_SUCCESS;
}
VOID EtDiskProcessDiskEvent(
__in PET_ETW_DISK_EVENT Event
)
{
PETP_DISK_PACKET packet;
if (!EtDiskEnabled)
return;
packet = PhAllocateFromFreeList(&EtDiskPacketFreeList);
memcpy(&packet->Event, Event, sizeof(ET_ETW_DISK_EVENT));
packet->FileName = EtFileObjectToFileName(Event->FileObject);
RtlInterlockedPushEntrySList(&EtDiskPacketListHead, &packet->ListEntry);
}
NTSTATUS PhpModuleQueryWorker(
__in PVOID Parameter
)
{
PPH_MODULE_QUERY_DATA data = (PPH_MODULE_QUERY_DATA)Parameter;
data->VerifyResult = PhVerifyFileCached(
data->ModuleItem->FileName,
&data->VerifySignerName,
FALSE
);
RtlInterlockedPushEntrySList(&data->ModuleProvider->QueryListHead, &data->ListEntry);
PhDereferenceObject(data->ModuleProvider);
return STATUS_SUCCESS;
}
NTSTATUS PhpThreadQueryWorker(
_In_ PVOID Parameter
)
{
PPH_THREAD_QUERY_DATA data = (PPH_THREAD_QUERY_DATA)Parameter;
LONG newSymbolsLoading;
if (data->ThreadProvider->Terminating)
goto Done;
newSymbolsLoading = _InterlockedIncrement(&data->ThreadProvider->SymbolsLoading);
if (newSymbolsLoading == 1)
PhInvokeCallback(&data->ThreadProvider->LoadingStateChangedEvent, (PVOID)TRUE);
if (data->ThreadProvider->SymbolsLoadedRunId == 0)
PhLoadSymbolsThreadProvider(data->ThreadProvider);
data->StartAddressString = PhGetSymbolFromAddress(
data->ThreadProvider->SymbolProvider,
data->ThreadItem->StartAddress,
&data->StartAddressResolveLevel,
&data->ThreadItem->StartAddressFileName,
NULL,
NULL
);
if (data->StartAddressResolveLevel == PhsrlAddress && data->ThreadProvider->SymbolsLoadedRunId < data->RunId)
{
// The process may have loaded new modules, so load symbols for those and try again.
PhLoadSymbolsThreadProvider(data->ThreadProvider);
PhClearReference(&data->StartAddressString);
PhClearReference(&data->ThreadItem->StartAddressFileName);
data->StartAddressString = PhGetSymbolFromAddress(
data->ThreadProvider->SymbolProvider,
data->ThreadItem->StartAddress,
&data->StartAddressResolveLevel,
&data->ThreadItem->StartAddressFileName,
NULL,
NULL
);
}
newSymbolsLoading = _InterlockedDecrement(&data->ThreadProvider->SymbolsLoading);
if (newSymbolsLoading == 0)
PhInvokeCallback(&data->ThreadProvider->LoadingStateChangedEvent, (PVOID)FALSE);
// Check if the process has services - we'll need to know before getting service tag/name
// information.
if (WINDOWS_HAS_SERVICE_TAGS && !data->ThreadProvider->HasServicesKnown)
{
PPH_PROCESS_ITEM processItem;
if (processItem = PhReferenceProcessItem(data->ThreadProvider->ProcessId))
{
data->ThreadProvider->HasServices = processItem->ServiceList && processItem->ServiceList->Count != 0;
PhDereferenceObject(processItem);
}
data->ThreadProvider->HasServicesKnown = TRUE;
}
// Get the service tag, and the service name.
if (WINDOWS_HAS_SERVICE_TAGS &&
data->ThreadProvider->SymbolProvider->IsRealHandle &&
data->ThreadItem->ThreadHandle)
{
PVOID serviceTag;
if (NT_SUCCESS(PhGetThreadServiceTag(
data->ThreadItem->ThreadHandle,
data->ThreadProvider->ProcessHandle,
&serviceTag
)))
{
data->ServiceName = PhGetServiceNameFromTag(
data->ThreadProvider->ProcessId,
serviceTag
);
}
}
Done:
RtlInterlockedPushEntrySList(&data->ThreadProvider->QueryListHead, &data->ListEntry);
PhDereferenceObject(data->ThreadProvider);
return STATUS_SUCCESS;
}
static ULONG NTAPI
PnpEventThread(IN PVOID Parameter)
{
NTSTATUS Status;
PPLUGPLAY_EVENT_BLOCK PnpEvent, NewPnpEvent;
ULONG PnpEventSize;
UNREFERENCED_PARAMETER(Parameter);
PnpEventSize = 0x1000;
PnpEvent = RtlAllocateHeap(ProcessHeap, 0, PnpEventSize);
if (PnpEvent == NULL)
{
Status = STATUS_NO_MEMORY;
goto Quit;
}
for (;;)
{
DPRINT("Calling NtGetPlugPlayEvent()\n");
/* Wait for the next PnP event */
Status = NtGetPlugPlayEvent(0, 0, PnpEvent, PnpEventSize);
/* Resize the buffer for the PnP event if it's too small */
if (Status == STATUS_BUFFER_TOO_SMALL)
{
PnpEventSize += 0x400;
NewPnpEvent = RtlReAllocateHeap(ProcessHeap, 0, PnpEvent, PnpEventSize);
if (NewPnpEvent == NULL)
{
Status = STATUS_NO_MEMORY;
goto Quit;
}
PnpEvent = NewPnpEvent;
continue;
}
if (!NT_SUCCESS(Status))
{
DPRINT1("NtGetPlugPlayEvent() failed (Status 0x%08lx)\n", Status);
goto Quit;
}
/* Process the PnP event */
DPRINT("Received PnP Event\n");
if (IsEqualGUID(&PnpEvent->EventGuid, &GUID_DEVICE_ENUMERATED))
{
DeviceInstallParams* Params;
ULONG len;
ULONG DeviceIdLength;
DPRINT("Device enumerated event: %S\n", PnpEvent->TargetDevice.DeviceIds);
DeviceIdLength = wcslen(PnpEvent->TargetDevice.DeviceIds);
if (DeviceIdLength)
{
/* Queue device install (will be dequeued by DeviceInstallThread) */
len = FIELD_OFFSET(DeviceInstallParams, DeviceIds) + (DeviceIdLength + 1) * sizeof(WCHAR);
Params = RtlAllocateHeap(ProcessHeap, 0, len);
if (Params)
{
wcscpy(Params->DeviceIds, PnpEvent->TargetDevice.DeviceIds);
RtlInterlockedPushEntrySList(&DeviceInstallListHead, &Params->ListEntry);
NtSetEvent(hDeviceInstallListNotEmpty, NULL);
}
else
{
DPRINT1("Not enough memory (size %lu)\n", len);
}
}
}
else
{
DPRINT("Unknown event, GUID {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}\n",
PnpEvent->EventGuid.Data1, PnpEvent->EventGuid.Data2, PnpEvent->EventGuid.Data3,
PnpEvent->EventGuid.Data4[0], PnpEvent->EventGuid.Data4[1], PnpEvent->EventGuid.Data4[2],
PnpEvent->EventGuid.Data4[3], PnpEvent->EventGuid.Data4[4], PnpEvent->EventGuid.Data4[5],
PnpEvent->EventGuid.Data4[6], PnpEvent->EventGuid.Data4[7]);
}
/* Dequeue the current PnP event and signal the next one */
NtPlugPlayControl(PlugPlayControlUserResponse, NULL, 0);
}
Status = STATUS_SUCCESS;
Quit:
if (PnpEvent)
RtlFreeHeap(ProcessHeap, 0, PnpEvent);
NtTerminateThread(NtCurrentThread(), Status);
return Status;
}
