static BOOLEAN NTAPI PhpPreviousInstancesCallback( _In_ PPH_STRINGREF Name, _In_ PPH_STRINGREF TypeName, _In_opt_ PVOID Context ) { ULONG64 processId64; PH_STRINGREF firstPart; PH_STRINGREF secondPart; if ( PhStartsWithStringRef2(Name, L"PhMutant_", TRUE) && PhSplitStringRefAtChar(Name, L'_', &firstPart, &secondPart) && PhStringToInteger64(&secondPart, 10, &processId64) ) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess( &processHandle, SYNCHRONIZE | PROCESS_TERMINATE, ULongToHandle((ULONG)processId64) ))) { NtTerminateProcess(processHandle, 1); NtClose(processHandle); } } return TRUE; }
/** * Determines the type of a process based on its image file name. * * \param ProcessHandle A handle to a process. * \param KnownProcessType A variable which receives the process * type. */ NTSTATUS PhGetProcessKnownType( __in HANDLE ProcessHandle, __out PH_KNOWN_PROCESS_TYPE *KnownProcessType ) { NTSTATUS status; PH_KNOWN_PROCESS_TYPE knownProcessType; PROCESS_BASIC_INFORMATION basicInfo; PH_STRINGREF systemRootPrefix; PPH_STRING fileName; PPH_STRING newFileName; PH_STRINGREF name; #ifdef _M_X64 BOOLEAN isWow64 = FALSE; #endif if (!NT_SUCCESS(status = PhGetProcessBasicInformation( ProcessHandle, &basicInfo ))) return status; if (basicInfo.UniqueProcessId == SYSTEM_PROCESS_ID) { *KnownProcessType = SystemProcessType; return STATUS_SUCCESS; } PhGetSystemRoot(&systemRootPrefix); if (!NT_SUCCESS(status = PhGetProcessImageFileName( ProcessHandle, &fileName ))) { return status; } newFileName = PhGetFileName(fileName); PhDereferenceObject(fileName); name = newFileName->sr; knownProcessType = UnknownProcessType; if (PhStartsWithStringRef(&name, &systemRootPrefix, TRUE)) { // Skip the system root, and we now have three cases: // 1. \\xyz.exe - Windows executable. // 2. \\System32\\xyz.exe - system32 executable. // 3. \\SysWow64\\xyz.exe - system32 executable + WOW64. name.Buffer += systemRootPrefix.Length / 2; name.Length -= systemRootPrefix.Length; if (PhEqualStringRef2(&name, L"\\explorer.exe", TRUE)) { knownProcessType = ExplorerProcessType; } else if ( PhStartsWithStringRef2(&name, L"\\System32", TRUE) #ifdef _M_X64 || (PhStartsWithStringRef2(&name, L"\\SysWow64", TRUE) && (isWow64 = TRUE, TRUE)) // ugly but necessary #endif ) { // SysTem32 and SysWow64 are both 8 characters long. name.Buffer += 9; name.Length -= 9 * 2; if (FALSE) ; // Dummy else if (PhEqualStringRef2(&name, L"\\smss.exe", TRUE)) knownProcessType = SessionManagerProcessType; else if (PhEqualStringRef2(&name, L"\\csrss.exe", TRUE)) knownProcessType = WindowsSubsystemProcessType; else if (PhEqualStringRef2(&name, L"\\wininit.exe", TRUE)) knownProcessType = WindowsStartupProcessType; else if (PhEqualStringRef2(&name, L"\\services.exe", TRUE)) knownProcessType = ServiceControlManagerProcessType; else if (PhEqualStringRef2(&name, L"\\lsass.exe", TRUE)) knownProcessType = LocalSecurityAuthorityProcessType; else if (PhEqualStringRef2(&name, L"\\lsm.exe", TRUE)) knownProcessType = LocalSessionManagerProcessType; else if (PhEqualStringRef2(&name, L"\\winlogon.exe", TRUE)) knownProcessType = WindowsLogonProcessType; else if (PhEqualStringRef2(&name, L"\\svchost.exe", TRUE)) knownProcessType = ServiceHostProcessType; else if (PhEqualStringRef2(&name, L"\\rundll32.exe", TRUE)) knownProcessType = RunDllAsAppProcessType; else if (PhEqualStringRef2(&name, L"\\dllhost.exe", TRUE)) knownProcessType = ComSurrogateProcessType; else if (PhEqualStringRef2(&name, L"\\taskeng.exe", TRUE)) knownProcessType = TaskHostProcessType; else if (PhEqualStringRef2(&name, L"\\taskhost.exe", TRUE)) knownProcessType = TaskHostProcessType; } } PhDereferenceObject(newFileName); #ifdef _M_X64 if (isWow64) knownProcessType |= KnownProcessWow64; #endif *KnownProcessType = knownProcessType; return status; }