static PVOID GetExitProcessFunction(
VOID
)
{
// Vista and above export.
if (WindowsVersion >= WINDOWS_VISTA)
return PhGetProcAddress(L"ntdll.dll", "RtlExitUserProcess");
else
return PhGetProcAddress(L"kernel32.dll", "ExitProcess");
}
NTSTATUS PHAPI KphInit()
{
if (!(NtDeviceIoControlFile = (_NtDeviceIoControlFile)
PhGetProcAddress(L"ntdll.dll", "NtDeviceIoControlFile")))
return STATUS_PROCEDURE_NOT_FOUND;
if (!(NtTerminateProcess = (_NtTerminateProcess)
PhGetProcAddress(L"ntdll.dll", "NtTerminateProcess")))
return STATUS_PROCEDURE_NOT_FOUND;
if (!(NtTerminateThread = (_NtTerminateThread)
PhGetProcAddress(L"ntdll.dll", "NtTerminateThread")))
return STATUS_PROCEDURE_NOT_FOUND;
return STATUS_SUCCESS;
}
PPH_STRING PhGetServiceNameFromTag(
__in HANDLE ProcessId,
__in PVOID ServiceTag
)
{
static PQUERY_TAG_INFORMATION I_QueryTagInformation = NULL;
PPH_STRING serviceName = NULL;
TAG_INFO_NAME_FROM_TAG nameFromTag;
if (!I_QueryTagInformation)
{
I_QueryTagInformation = PhGetProcAddress(L"advapi32.dll", "I_QueryTagInformation");
if (!I_QueryTagInformation)
return NULL;
}
memset(&nameFromTag, 0, sizeof(TAG_INFO_NAME_FROM_TAG));
nameFromTag.InParams.dwPid = (ULONG)ProcessId;
nameFromTag.InParams.dwTag = (ULONG)ServiceTag;
I_QueryTagInformation(NULL, eTagInfoLevelNameFromTag, &nameFromTag);
if (nameFromTag.OutParams.pszName)
{
serviceName = PhCreateString(nameFromTag.OutParams.pszName);
LocalFree(nameFromTag.OutParams.pszName);
}
return serviceName;
}
ULONG UpdateDotNetTraceInfo(
__in PASMPAGE_CONTEXT Context,
__in BOOLEAN ClrV2
)
{
static _EnableTraceEx EnableTraceEx_I = NULL;
ULONG result;
TRACEHANDLE sessionHandle;
PEVENT_TRACE_PROPERTIES properties;
PGUID guidToEnable;
if (!EnableTraceEx_I)
EnableTraceEx_I = (_EnableTraceEx)PhGetProcAddress(L"advapi32.dll", "EnableTraceEx");
if (!EnableTraceEx_I)
return ERROR_NOT_SUPPORTED;
result = StartDotNetTrace(Context, &sessionHandle, &properties);
if (result != 0)
return result;
if (!ClrV2)
guidToEnable = &ClrRundownProviderGuid;
else
guidToEnable = &ClrRuntimeProviderGuid;
EnableTraceEx_I(
guidToEnable,
NULL,
sessionHandle,
1,
TRACE_LEVEL_INFORMATION,
CLR_LOADER_KEYWORD | CLR_STARTENUMERATION_KEYWORD,
0,
0,
NULL
);
result = ProcessDotNetTrace(Context);
ControlTrace(sessionHandle, NULL, properties, EVENT_TRACE_CONTROL_STOP);
PhFree(properties);
return result;
}
_Out_opt_ PUNICODE_STRING OutOfProcessCallbackDllString
)
{
NTSTATUS status;
PLIST_ENTRY (NTAPI *rtlGetFunctionTableListHead)(VOID);
PLIST_ENTRY tableListHead;
LIST_ENTRY tableListHeadEntry;
PLIST_ENTRY tableListEntry;
PDYNAMIC_FUNCTION_TABLE functionTableAddress;
DYNAMIC_FUNCTION_TABLE functionTable;
ULONG count;
SIZE_T numberOfBytesRead;
ULONG i;
BOOLEAN foundNull;
rtlGetFunctionTableListHead = PhGetProcAddress(L"ntdll.dll", "RtlGetFunctionTableListHead");
if (!rtlGetFunctionTableListHead)
return STATUS_PROCEDURE_NOT_FOUND;
tableListHead = rtlGetFunctionTableListHead();
// Find the function table entry for this address.
if (!NT_SUCCESS(status = PhReadVirtualMemory(
ProcessHandle,
tableListHead,
&tableListHeadEntry,
sizeof(LIST_ENTRY),
NULL
)))
