static BOOLEAN NTAPI PhpPreviousInstancesCallback(
_In_ PPH_STRINGREF Name,
_In_ PPH_STRINGREF TypeName,
_In_opt_ PVOID Context
)
{
ULONG64 processId64;
PH_STRINGREF firstPart;
PH_STRINGREF secondPart;
if (
PhStartsWithStringRef2(Name, L"PhMutant_", TRUE) &&
PhSplitStringRefAtChar(Name, L'_', &firstPart, &secondPart) &&
PhStringToInteger64(&secondPart, 10, &processId64)
)
{
HANDLE processHandle;
if (NT_SUCCESS(PhOpenProcess(
&processHandle,
SYNCHRONIZE | PROCESS_TERMINATE,
ULongToHandle((ULONG)processId64)
)))
{
NtTerminateProcess(processHandle, 1);
NtClose(processHandle);
}
}
return TRUE;
}
/**
* Determines the type of a process based on its image file name.
*
* \param ProcessHandle A handle to a process.
* \param KnownProcessType A variable which receives the process
* type.
*/
NTSTATUS PhGetProcessKnownType(
__in HANDLE ProcessHandle,
__out PH_KNOWN_PROCESS_TYPE *KnownProcessType
)
{
NTSTATUS status;
PH_KNOWN_PROCESS_TYPE knownProcessType;
PROCESS_BASIC_INFORMATION basicInfo;
PH_STRINGREF systemRootPrefix;
PPH_STRING fileName;
PPH_STRING newFileName;
PH_STRINGREF name;
#ifdef _M_X64
BOOLEAN isWow64 = FALSE;
#endif
if (!NT_SUCCESS(status = PhGetProcessBasicInformation(
ProcessHandle,
&basicInfo
)))
return status;
if (basicInfo.UniqueProcessId == SYSTEM_PROCESS_ID)
{
*KnownProcessType = SystemProcessType;
return STATUS_SUCCESS;
}
PhGetSystemRoot(&systemRootPrefix);
if (!NT_SUCCESS(status = PhGetProcessImageFileName(
ProcessHandle,
&fileName
)))
{
return status;
}
newFileName = PhGetFileName(fileName);
PhDereferenceObject(fileName);
name = newFileName->sr;
knownProcessType = UnknownProcessType;
if (PhStartsWithStringRef(&name, &systemRootPrefix, TRUE))
{
// Skip the system root, and we now have three cases:
// 1. \\xyz.exe - Windows executable.
// 2. \\System32\\xyz.exe - system32 executable.
// 3. \\SysWow64\\xyz.exe - system32 executable + WOW64.
name.Buffer += systemRootPrefix.Length / 2;
name.Length -= systemRootPrefix.Length;
if (PhEqualStringRef2(&name, L"\\explorer.exe", TRUE))
{
knownProcessType = ExplorerProcessType;
}
else if (
PhStartsWithStringRef2(&name, L"\\System32", TRUE)
#ifdef _M_X64
|| (PhStartsWithStringRef2(&name, L"\\SysWow64", TRUE) && (isWow64 = TRUE, TRUE)) // ugly but necessary
#endif
)
{
// SysTem32 and SysWow64 are both 8 characters long.
name.Buffer += 9;
name.Length -= 9 * 2;
if (FALSE)
; // Dummy
else if (PhEqualStringRef2(&name, L"\\smss.exe", TRUE))
knownProcessType = SessionManagerProcessType;
else if (PhEqualStringRef2(&name, L"\\csrss.exe", TRUE))
knownProcessType = WindowsSubsystemProcessType;
else if (PhEqualStringRef2(&name, L"\\wininit.exe", TRUE))
knownProcessType = WindowsStartupProcessType;
else if (PhEqualStringRef2(&name, L"\\services.exe", TRUE))
knownProcessType = ServiceControlManagerProcessType;
else if (PhEqualStringRef2(&name, L"\\lsass.exe", TRUE))
knownProcessType = LocalSecurityAuthorityProcessType;
else if (PhEqualStringRef2(&name, L"\\lsm.exe", TRUE))
knownProcessType = LocalSessionManagerProcessType;
else if (PhEqualStringRef2(&name, L"\\winlogon.exe", TRUE))
knownProcessType = WindowsLogonProcessType;
else if (PhEqualStringRef2(&name, L"\\svchost.exe", TRUE))
knownProcessType = ServiceHostProcessType;
else if (PhEqualStringRef2(&name, L"\\rundll32.exe", TRUE))
knownProcessType = RunDllAsAppProcessType;
else if (PhEqualStringRef2(&name, L"\\dllhost.exe", TRUE))
knownProcessType = ComSurrogateProcessType;
else if (PhEqualStringRef2(&name, L"\\taskeng.exe", TRUE))
knownProcessType = TaskHostProcessType;
else if (PhEqualStringRef2(&name, L"\\taskhost.exe", TRUE))
knownProcessType = TaskHostProcessType;
}
}
PhDereferenceObject(newFileName);
#ifdef _M_X64
if (isWow64)
knownProcessType |= KnownProcessWow64;
#endif
*KnownProcessType = knownProcessType;
return status;
}
