VOID PhWritePhTextHeader(
__inout PPH_FILE_STREAM FileStream
)
{
PPH_STRING version;
LARGE_INTEGER time;
SYSTEMTIME systemTime;
PPH_STRING dateString;
PPH_STRING timeString;
PhWriteStringAsAnsiFileStream2(FileStream, L"Process Hacker ");
if (version = PhGetPhVersion())
{
PhWriteStringAsAnsiFileStream(FileStream, &version->sr);
PhDereferenceObject(version);
}
PhWriteStringFormatFileStream(FileStream, L"\r\nWindows NT %u.%u", PhOsVersion.dwMajorVersion, PhOsVersion.dwMinorVersion);
if (PhOsVersion.szCSDVersion[0] != 0)
PhWriteStringFormatFileStream(FileStream, L" %s", PhOsVersion.szCSDVersion);
#ifdef _M_IX86
PhWriteStringAsAnsiFileStream2(FileStream, L" (32-bit)");
#else
PhWriteStringAsAnsiFileStream2(FileStream, L" (64-bit)");
#endif
PhQuerySystemTime(&time);
PhLargeIntegerToLocalSystemTime(&systemTime, &time);
dateString = PhFormatDate(&systemTime, NULL);
timeString = PhFormatTime(&systemTime, NULL);
PhWriteStringFormatFileStream(FileStream, L"\r\n%s %s\r\n\r\n", dateString->Buffer, timeString->Buffer);
PhDereferenceObject(dateString);
PhDereferenceObject(timeString);
}
INT_PTR CALLBACK PhpSessionPropertiesDlgProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
switch (uMsg)
{
case WM_INITDIALOG:
{
ULONG sessionId = (ULONG)lParam;
WINSTATIONINFORMATION winStationInfo;
BOOLEAN haveWinStationInfo;
WINSTATIONCLIENT clientInfo;
BOOLEAN haveClientInfo;
ULONG returnLength;
PWSTR stateString;
SetProp(hwndDlg, L"SessionId", UlongToHandle(sessionId));
PhCenterWindow(hwndDlg, GetParent(hwndDlg));
// Query basic session information
haveWinStationInfo = WinStationQueryInformationW(
NULL,
sessionId,
WinStationInformation,
&winStationInfo,
sizeof(WINSTATIONINFORMATION),
&returnLength
);
// Query client information
haveClientInfo = WinStationQueryInformationW(
NULL,
sessionId,
WinStationClient,
&clientInfo,
sizeof(WINSTATIONCLIENT),
&returnLength
);
if (haveWinStationInfo)
{
SetDlgItemText(hwndDlg, IDC_USERNAME,
PhaFormatString(L"%s\\%s", winStationInfo.Domain, winStationInfo.UserName)->Buffer);
}
SetDlgItemInt(hwndDlg, IDC_SESSIONID, sessionId, FALSE);
if (haveWinStationInfo)
{
if (PhFindStringSiKeyValuePairs(
PhpConnectStatePairs,
sizeof(PhpConnectStatePairs),
winStationInfo.ConnectState,
&stateString
))
{
SetDlgItemText(hwndDlg, IDC_STATE, stateString);
}
}
if (haveWinStationInfo && winStationInfo.LogonTime.QuadPart != 0)
{
SYSTEMTIME systemTime;
PPH_STRING time;
PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.LogonTime);
time = PhFormatDateTime(&systemTime);
SetDlgItemText(hwndDlg, IDC_LOGONTIME, time->Buffer);
PhDereferenceObject(time);
}
if (haveWinStationInfo && winStationInfo.ConnectTime.QuadPart != 0)
{
SYSTEMTIME systemTime;
PPH_STRING time;
PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.ConnectTime);
time = PhFormatDateTime(&systemTime);
SetDlgItemText(hwndDlg, IDC_CONNECTTIME, time->Buffer);
PhDereferenceObject(time);
}
if (haveWinStationInfo && winStationInfo.DisconnectTime.QuadPart != 0)
{
SYSTEMTIME systemTime;
PPH_STRING time;
PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.DisconnectTime);
time = PhFormatDateTime(&systemTime);
SetDlgItemText(hwndDlg, IDC_DISCONNECTTIME, time->Buffer);
PhDereferenceObject(time);
}
if (haveWinStationInfo && winStationInfo.LastInputTime.QuadPart != 0)
{
SYSTEMTIME systemTime;
PPH_STRING time;
PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.LastInputTime);
time = PhFormatDateTime(&systemTime);
SetDlgItemText(hwndDlg, IDC_LASTINPUTTIME, time->Buffer);
PhDereferenceObject(time);
}
if (haveClientInfo && clientInfo.ClientName[0] != 0)
{
WCHAR addressString[65];
SetDlgItemText(hwndDlg, IDC_CLIENTNAME, clientInfo.ClientName);
if (clientInfo.ClientAddressFamily == AF_INET6)
{
struct in6_addr address;
ULONG i;
PUSHORT in;
PUSHORT out;
// IPv6 is special - the client address data is a reversed version of
// the real address.
in = (PUSHORT)clientInfo.ClientAddress;
out = (PUSHORT)address.u.Word;
for (i = 8; i != 0; i--)
{
*out = _byteswap_ushort(*in);
in++;
out++;
}
RtlIpv6AddressToString(&address, addressString);
}
else
{
wcscpy_s(addressString, 65, clientInfo.ClientAddress);
}
SetDlgItemText(hwndDlg, IDC_CLIENTADDRESS, addressString);
SetDlgItemText(hwndDlg, IDC_CLIENTDISPLAY,
PhaFormatString(L"%ux%u@%u", clientInfo.HRes,
clientInfo.VRes, clientInfo.ColorDepth)->Buffer
);
}
SendMessage(hwndDlg, WM_NEXTDLGCTL, (WPARAM)GetDlgItem(hwndDlg, IDOK), TRUE);
}
break;
case WM_DESTROY:
{
RemoveProp(hwndDlg, L"SessionId");
}
break;
case WM_COMMAND:
{
switch (LOWORD(wParam))
{
case IDCANCEL:
case IDOK:
EndDialog(hwndDlg, IDOK);
break;
}
}
break;
}
return FALSE;
}
INT_PTR CALLBACK PhpLogDlgProc(
__in HWND hwndDlg,
__in UINT uMsg,
__in WPARAM wParam,
__in LPARAM lParam
)
{
switch (uMsg)
{
case WM_INITDIALOG:
{
ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST);
PhSetListViewStyle(ListViewHandle, FALSE, TRUE);
PhSetControlTheme(ListViewHandle, L"explorer");
PhAddListViewColumn(ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 140, L"Time");
PhAddListViewColumn(ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 260, L"Message");
PhLoadListViewColumnsFromSetting(L"LogListViewColumns", ListViewHandle);
PhInitializeLayoutManager(&WindowLayoutManager, hwndDlg);
PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_LIST), NULL,
PH_ANCHOR_ALL);
PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDOK), NULL,
PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM);
PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_COPY), NULL,
PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM);
PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_SAVE), NULL,
PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM);
PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_AUTOSCROLL), NULL,
PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT);
PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_CLEAR), NULL,
PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT);
MinimumSize.left = 0;
MinimumSize.top = 0;
MinimumSize.right = 290;
MinimumSize.bottom = 150;
MapDialogRect(hwndDlg, &MinimumSize);
PhLoadWindowPlacementFromSetting(L"LogWindowPosition", L"LogWindowSize", hwndDlg);
Button_SetCheck(GetDlgItem(hwndDlg, IDC_AUTOSCROLL), BST_CHECKED);
PhRegisterCallback(&PhLoggedCallback, LoggedCallback, NULL, &LoggedRegistration);
PhpUpdateLogList();
ListView_EnsureVisible(ListViewHandle, ListViewCount - 1, FALSE);
}
break;
case WM_DESTROY:
{
PhSaveListViewColumnsToSetting(L"LogListViewColumns", ListViewHandle);
PhSaveWindowPlacementToSetting(L"LogWindowPosition", L"LogWindowSize", hwndDlg);
PhDeleteLayoutManager(&WindowLayoutManager);
PhUnregisterCallback(&PhLoggedCallback, &LoggedRegistration);
PhUnregisterDialog(PhLogWindowHandle);
PhLogWindowHandle = NULL;
}
break;
case WM_COMMAND:
{
switch (LOWORD(wParam))
{
case IDCANCEL:
case IDOK:
DestroyWindow(hwndDlg);
break;
case IDC_CLEAR:
{
PhClearLogEntries();
PhpUpdateLogList();
}
break;
case IDC_COPY:
{
PPH_STRING string;
ULONG selectedCount;
selectedCount = ListView_GetSelectedCount(ListViewHandle);
if (selectedCount == 0)
{
// User didn't select anything, so copy all items.
string = PhpGetStringForSelectedLogEntries(TRUE);
PhSetStateAllListViewItems(ListViewHandle, LVIS_SELECTED, LVIS_SELECTED);
}
else
{
string = PhpGetStringForSelectedLogEntries(FALSE);
}
PhSetClipboardStringEx(hwndDlg, string->Buffer, string->Length);
PhDereferenceObject(string);
SetFocus(ListViewHandle);
}
break;
case IDC_SAVE:
{
static PH_FILETYPE_FILTER filters[] =
{
{ L"Text files (*.txt)", L"*.txt" },
{ L"All files (*.*)", L"*.*" }
};
PVOID fileDialog;
fileDialog = PhCreateSaveFileDialog();
PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER));
PhSetFileDialogFileName(fileDialog, L"Process Hacker Log.txt");
if (PhShowFileDialog(hwndDlg, fileDialog))
{
NTSTATUS status;
PPH_STRING fileName;
PPH_FILE_STREAM fileStream;
PPH_STRING string;
fileName = PhGetFileDialogFileName(fileDialog);
PhaDereferenceObject(fileName);
if (NT_SUCCESS(status = PhCreateFileStream(
&fileStream,
fileName->Buffer,
FILE_GENERIC_WRITE,
FILE_SHARE_READ,
FILE_OVERWRITE_IF,
0
)))
{
PhWritePhTextHeader(fileStream);
string = PhpGetStringForSelectedLogEntries(TRUE);
PhWriteStringAsAnsiFileStreamEx(fileStream, string->Buffer, string->Length);
PhDereferenceObject(string);
PhDereferenceObject(fileStream);
}
if (!NT_SUCCESS(status))
PhShowStatus(hwndDlg, L"Unable to create the file", status, 0);
}
PhFreeFileDialog(fileDialog);
}
break;
}
}
break;
case WM_NOTIFY:
{
LPNMHDR header = (LPNMHDR)lParam;
switch (header->code)
{
case LVN_GETDISPINFO:
{
NMLVDISPINFO *dispInfo = (NMLVDISPINFO *)header;
PPH_LOG_ENTRY entry;
entry = PhGetItemCircularBuffer_PVOID(&PhLogBuffer, ListViewCount - dispInfo->item.iItem - 1);
if (dispInfo->item.iSubItem == 0)
{
if (dispInfo->item.mask & LVIF_TEXT)
{
SYSTEMTIME systemTime;
PPH_STRING dateTime;
PhLargeIntegerToLocalSystemTime(&systemTime, &entry->Time);
dateTime = PhFormatDateTime(&systemTime);
wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, dateTime->Buffer, _TRUNCATE);
PhDereferenceObject(dateTime);
}
}
else if (dispInfo->item.iSubItem == 1)
{
if (dispInfo->item.mask & LVIF_TEXT)
{
PPH_STRING string;
string = PhFormatLogEntry(entry);
wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, string->Buffer, _TRUNCATE);
PhDereferenceObject(string);
}
}
}
break;
}
}
break;
case WM_SIZE:
{
PhLayoutManagerLayout(&WindowLayoutManager);
}
break;
case WM_SIZING:
{
PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom);
}
break;
case WM_PH_LOG_UPDATED:
{
PhpUpdateLogList();
}
break;
}
return FALSE;
}
VOID PhpUpdateThreadDetails(
_In_ HWND hwndDlg,
_In_ PPH_THREADS_CONTEXT Context,
_In_ BOOLEAN Force
)
{
PPH_THREAD_ITEM *threads;
ULONG numberOfThreads;
PPH_THREAD_ITEM threadItem;
PPH_STRING startModule = NULL;
PPH_STRING started = NULL;
WCHAR kernelTime[PH_TIMESPAN_STR_LEN_1] = L"N/A";
WCHAR userTime[PH_TIMESPAN_STR_LEN_1] = L"N/A";
PPH_STRING contextSwitches = NULL;
PPH_STRING cycles = NULL;
PPH_STRING state = NULL;
WCHAR priority[PH_INT32_STR_LEN_1] = L"N/A";
WCHAR basePriority[PH_INT32_STR_LEN_1] = L"N/A";
PWSTR ioPriority = L"N/A";
PWSTR pagePriority = L"N/A";
WCHAR idealProcessor[PH_INT32_STR_LEN + 1 + PH_INT32_STR_LEN + 1] = L"N/A";
HANDLE threadHandle;
SYSTEMTIME time;
IO_PRIORITY_HINT ioPriorityInteger;
ULONG pagePriorityInteger;
PROCESSOR_NUMBER idealProcessorNumber;
ULONG suspendCount;
PhGetSelectedThreadItems(&Context->ListContext, &threads, &numberOfThreads);
if (numberOfThreads == 1)
threadItem = threads[0];
else
threadItem = NULL;
PhFree(threads);
if (numberOfThreads != 1 && !Force)
return;
if (numberOfThreads == 1)
{
startModule = threadItem->StartAddressFileName;
PhLargeIntegerToLocalSystemTime(&time, &threadItem->CreateTime);
started = PhaFormatDateTime(&time);
PhPrintTimeSpan(kernelTime, threadItem->KernelTime.QuadPart, PH_TIMESPAN_HMSM);
PhPrintTimeSpan(userTime, threadItem->UserTime.QuadPart, PH_TIMESPAN_HMSM);
contextSwitches = PhaFormatUInt64(threadItem->ContextSwitchesDelta.Value, TRUE);
if (WINDOWS_HAS_CYCLE_TIME)
cycles = PhaFormatUInt64(threadItem->CyclesDelta.Value, TRUE);
if (threadItem->State != Waiting)
{
if ((ULONG)threadItem->State < MaximumThreadState)
state = PhaCreateString(PhKThreadStateNames[(ULONG)threadItem->State]);
else
state = PhaCreateString(L"Unknown");
}
else
{
if ((ULONG)threadItem->WaitReason < MaximumWaitReason)
state = PhaConcatStrings2(L"Wait:", PhKWaitReasonNames[(ULONG)threadItem->WaitReason]);
else
state = PhaCreateString(L"Waiting");
}
PhPrintInt32(priority, threadItem->Priority);
PhPrintInt32(basePriority, threadItem->BasePriority);
if (NT_SUCCESS(PhOpenThread(&threadHandle, ThreadQueryAccess, threadItem->ThreadId)))
{
if (NT_SUCCESS(PhGetThreadIoPriority(threadHandle, &ioPriorityInteger)) &&
ioPriorityInteger < MaxIoPriorityTypes)
{
ioPriority = PhIoPriorityHintNames[ioPriorityInteger];
}
if (NT_SUCCESS(PhGetThreadPagePriority(threadHandle, &pagePriorityInteger)) &&
pagePriorityInteger <= MEMORY_PRIORITY_NORMAL)
{
pagePriority = PhPagePriorityNames[pagePriorityInteger];
}
if (NT_SUCCESS(NtQueryInformationThread(threadHandle, ThreadIdealProcessorEx, &idealProcessorNumber, sizeof(PROCESSOR_NUMBER), NULL)))
{
PH_FORMAT format[3];
PhInitFormatU(&format[0], idealProcessorNumber.Group);
PhInitFormatC(&format[1], ':');
PhInitFormatU(&format[2], idealProcessorNumber.Number);
PhFormatToBuffer(format, 3, idealProcessor, sizeof(idealProcessor), NULL);
}
if (threadItem->WaitReason == Suspended && NT_SUCCESS(NtQueryInformationThread(threadHandle, ThreadSuspendCount, &suspendCount, sizeof(ULONG), NULL)))
{
PH_FORMAT format[4];
PhInitFormatSR(&format[0], state->sr);
PhInitFormatS(&format[1], L" (");
PhInitFormatU(&format[2], suspendCount);
PhInitFormatS(&format[3], L")");
state = PH_AUTO(PhFormat(format, 4, 30));
}
NtClose(threadHandle);
}
}
if (Force)
{
// These don't change...
SetDlgItemText(hwndDlg, IDC_STARTMODULE, PhGetStringOrEmpty(startModule));
EnableWindow(GetDlgItem(hwndDlg, IDC_OPENSTARTMODULE), !!startModule);
SetDlgItemText(hwndDlg, IDC_STARTED, PhGetStringOrDefault(started, L"N/A"));
}
SetDlgItemText(hwndDlg, IDC_KERNELTIME, kernelTime);
SetDlgItemText(hwndDlg, IDC_USERTIME, userTime);
SetDlgItemText(hwndDlg, IDC_CONTEXTSWITCHES, PhGetStringOrDefault(contextSwitches, L"N/A"));
SetDlgItemText(hwndDlg, IDC_CYCLES, PhGetStringOrDefault(cycles, L"N/A"));
SetDlgItemText(hwndDlg, IDC_STATE, PhGetStringOrDefault(state, L"N/A"));
SetDlgItemText(hwndDlg, IDC_PRIORITY, priority);
SetDlgItemText(hwndDlg, IDC_BASEPRIORITY, basePriority);
SetDlgItemText(hwndDlg, IDC_IOPRIORITY, ioPriority);
SetDlgItemText(hwndDlg, IDC_PAGEPRIORITY, pagePriority);
SetDlgItemText(hwndDlg, IDC_IDEALPROCESSOR, idealProcessor);
}
BOOLEAN EtpRefreshUnloadedDlls(
__in HWND hwndDlg,
__in PUNLOADED_DLLS_CONTEXT Context
)
{
NTSTATUS status;
PULONG elementSize;
PULONG elementCount;
PVOID eventTrace;
HANDLE processHandle = NULL;
ULONG eventTraceSize;
ULONG capturedElementSize;
ULONG capturedElementCount;
PVOID capturedEventTracePointer;
PVOID capturedEventTrace = NULL;
ULONG i;
PVOID currentEvent;
HWND lvHandle;
lvHandle = GetDlgItem(hwndDlg, IDC_LIST);
ListView_DeleteAllItems(lvHandle);
RtlGetUnloadEventTraceEx(&elementSize, &elementCount, &eventTrace);
if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_VM_READ, Context->ProcessItem->ProcessId)))
goto CleanupExit;
// We have the pointers for the unload event trace information.
// Since ntdll is loaded at the same base address across all processes,
// we can read the information in.
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
elementSize,
&capturedElementSize,
sizeof(ULONG),
NULL
)))
goto CleanupExit;
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
elementCount,
&capturedElementCount,
sizeof(ULONG),
NULL
)))
goto CleanupExit;
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
eventTrace,
&capturedEventTracePointer,
sizeof(PVOID),
NULL
)))
goto CleanupExit;
if (!capturedEventTracePointer)
goto CleanupExit; // no events
if (capturedElementCount > 0x4000)
capturedElementCount = 0x4000;
eventTraceSize = capturedElementSize * capturedElementCount;
capturedEventTrace = PhAllocateSafe(eventTraceSize);
if (!capturedEventTrace)
{
status = STATUS_NO_MEMORY;
goto CleanupExit;
}
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
capturedEventTracePointer,
capturedEventTrace,
eventTraceSize,
NULL
)))
goto CleanupExit;
currentEvent = capturedEventTrace;
ExtendedListView_SetRedraw(lvHandle, FALSE);
for (i = 0; i < capturedElementCount; i++)
{
PRTL_UNLOAD_EVENT_TRACE rtlEvent = currentEvent;
INT lvItemIndex;
WCHAR buffer[128];
PPH_STRING string;
LARGE_INTEGER time;
SYSTEMTIME systemTime;
if (!rtlEvent->BaseAddress)
break;
PhPrintUInt32(buffer, rtlEvent->Sequence);
lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, buffer, rtlEvent);
// Name
if (PhCopyUnicodeStringZ(rtlEvent->ImageName, sizeof(rtlEvent->ImageName) / sizeof(WCHAR),
buffer, sizeof(buffer) / sizeof(WCHAR), NULL))
{
PhSetListViewSubItem(lvHandle, lvItemIndex, 1, buffer);
}
// Base Address
PhPrintPointer(buffer, rtlEvent->BaseAddress);
PhSetListViewSubItem(lvHandle, lvItemIndex, 2, buffer);
// Size
string = PhFormatSize(rtlEvent->SizeOfImage, -1);
PhSetListViewSubItem(lvHandle, lvItemIndex, 3, string->Buffer);
PhDereferenceObject(string);
// Time Stamp
RtlSecondsSince1970ToTime(rtlEvent->TimeDateStamp, &time);
PhLargeIntegerToLocalSystemTime(&systemTime, &time);
string = PhFormatDateTime(&systemTime);
PhSetListViewSubItem(lvHandle, lvItemIndex, 4, string->Buffer);
PhDereferenceObject(string);
// Checksum
PhPrintPointer(buffer, UlongToPtr(rtlEvent->CheckSum));
PhSetListViewSubItem(lvHandle, lvItemIndex, 5, buffer);
currentEvent = PTR_ADD_OFFSET(currentEvent, capturedElementSize);
}
ExtendedListView_SortItems(lvHandle);
ExtendedListView_SetRedraw(lvHandle, TRUE);
if (Context->CapturedEventTrace)
PhFree(Context->CapturedEventTrace);
Context->CapturedEventTrace = capturedEventTrace;
CleanupExit:
if (processHandle)
NtClose(processHandle);
if (NT_SUCCESS(status))
{
return TRUE;
}
else
{
PhShowStatus(hwndDlg, L"Unable to retrieve unload event trace information", status, 0);
return FALSE;
}
}
