VOID PhSvcHandleConnectionRequest(
_In_ PPORT_MESSAGE PortMessage
)
{
NTSTATUS status;
PPHSVC_API_MSG message;
PPHSVC_API_MSG64 message64;
CLIENT_ID clientId;
PPHSVC_CLIENT client;
HANDLE portHandle;
REMOTE_PORT_VIEW clientView;
REMOTE_PORT_VIEW64 clientView64;
PREMOTE_PORT_VIEW actualClientView;
message = (PPHSVC_API_MSG)PortMessage;
message64 = (PPHSVC_API_MSG64)PortMessage;
if (PhIsExecutingInWow64())
{
clientId.UniqueProcess = (HANDLE)message64->h.ClientId.UniqueProcess;
clientId.UniqueThread = (HANDLE)message64->h.ClientId.UniqueThread;
}
else
{
PPH_STRING referenceFileName;
PPH_STRING remoteFileName;
clientId = message->h.ClientId;
// Make sure that the remote process is Process Hacker itself and not some other program.
referenceFileName = NULL;
PhGetProcessImageFileNameByProcessId(NtCurrentProcessId(), &referenceFileName);
PH_AUTO(referenceFileName);
remoteFileName = NULL;
PhGetProcessImageFileNameByProcessId(clientId.UniqueProcess, &remoteFileName);
PH_AUTO(remoteFileName);
if (!referenceFileName || !remoteFileName || !PhEqualString(referenceFileName, remoteFileName, TRUE))
{
NtAcceptConnectPort(&portHandle, NULL, PortMessage, FALSE, NULL, NULL);
return;
}
}
client = PhSvcCreateClient(&clientId);
if (!client)
{
NtAcceptConnectPort(&portHandle, NULL, PortMessage, FALSE, NULL, NULL);
return;
}
if (PhIsExecutingInWow64())
{
message64->p.ConnectInfo.ServerProcessId = HandleToUlong(NtCurrentProcessId());
clientView64.Length = sizeof(REMOTE_PORT_VIEW64);
clientView64.ViewSize = 0;
clientView64.ViewBase = 0;
actualClientView = (PREMOTE_PORT_VIEW)&clientView64;
}
else
{
message->p.ConnectInfo.ServerProcessId = HandleToUlong(NtCurrentProcessId());
clientView.Length = sizeof(REMOTE_PORT_VIEW);
clientView.ViewSize = 0;
clientView.ViewBase = NULL;
actualClientView = &clientView;
}
status = NtAcceptConnectPort(
&portHandle,
client,
PortMessage,
TRUE,
NULL,
actualClientView
);
if (!NT_SUCCESS(status))
{
PhDereferenceObject(client);
return;
}
// IMPORTANT: Since Vista, NtCompleteConnectPort does not do anything and simply returns STATUS_SUCCESS.
// We will call it anyway (for completeness), but we need to use an event to ensure that other threads don't try
// to process requests before we have finished setting up the client object.
client->PortHandle = portHandle;
if (PhIsExecutingInWow64())
{
client->ClientViewBase = (PVOID)clientView64.ViewBase;
client->ClientViewLimit = PTR_ADD_OFFSET(clientView64.ViewBase, clientView64.ViewSize);
}
else
{
client->ClientViewBase = clientView.ViewBase;
client->ClientViewLimit = PTR_ADD_OFFSET(clientView.ViewBase, clientView.ViewSize);
}
NtCompleteConnectPort(portHandle);
PhSetEvent(&client->ReadyEvent);
if (_InterlockedIncrement(&PhSvcApiNumberOfClients) == 1)
{
NtSetEvent(PhSvcTimeoutCancelEventHandle, NULL);
}
}
NTSTATUS PhpEnumHiddenProcessesBruteForce(
_In_ PPH_ENUM_HIDDEN_PROCESSES_CALLBACK Callback,
_In_opt_ PVOID Context
)
{
NTSTATUS status;
PVOID processes;
PSYSTEM_PROCESS_INFORMATION process;
PPH_LIST pids;
ULONG pid;
BOOLEAN stop = FALSE;
if (!NT_SUCCESS(status = PhEnumProcesses(&processes)))
return status;
pids = PhCreateList(40);
process = PH_FIRST_PROCESS(processes);
do
{
PhAddItemList(pids, process->UniqueProcessId);
} while (process = PH_NEXT_PROCESS(process));
PhFree(processes);
for (pid = 8; pid <= 65536; pid += 4)
{
NTSTATUS status2;
HANDLE processHandle;
PH_HIDDEN_PROCESS_ENTRY entry;
KERNEL_USER_TIMES times;
PPH_STRING fileName;
status2 = PhOpenProcess(
&processHandle,
ProcessQueryAccess,
UlongToHandle(pid)
);
if (NT_SUCCESS(status2))
{
entry.ProcessId = UlongToHandle(pid);
if (NT_SUCCESS(status2 = PhGetProcessTimes(
processHandle,
×
)) &&
NT_SUCCESS(status2 = PhGetProcessImageFileName(
processHandle,
&fileName
)))
{
entry.FileName = PhGetFileName(fileName);
PhDereferenceObject(fileName);
if (times.ExitTime.QuadPart != 0)
entry.Type = TerminatedProcess;
else if (PhFindItemList(pids, UlongToHandle(pid)) != -1)
entry.Type = NormalProcess;
else
entry.Type = HiddenProcess;
if (!Callback(&entry, Context))
stop = TRUE;
PhDereferenceObject(entry.FileName);
}
NtClose(processHandle);
}
// Use an alternative method if we don't have sufficient access.
if (status2 == STATUS_ACCESS_DENIED && WindowsVersion >= WINDOWS_VISTA)
{
if (NT_SUCCESS(status2 = PhGetProcessImageFileNameByProcessId(UlongToHandle(pid), &fileName)))
{
entry.ProcessId = UlongToHandle(pid);
entry.FileName = PhGetFileName(fileName);
PhDereferenceObject(fileName);
if (PhFindItemList(pids, UlongToHandle(pid)) != -1)
entry.Type = NormalProcess;
else
entry.Type = HiddenProcess;
if (!Callback(&entry, Context))
stop = TRUE;
PhDereferenceObject(entry.FileName);
}
}
if (status2 == STATUS_INVALID_CID || status2 == STATUS_INVALID_PARAMETER)
status2 = STATUS_SUCCESS;
if (!NT_SUCCESS(status2))
{
entry.ProcessId = UlongToHandle(pid);
entry.FileName = NULL;
entry.Type = UnknownProcess;
if (!Callback(&entry, Context))
stop = TRUE;
}
if (stop)
break;
}
PhDereferenceObject(pids);
return status;
}
static VOID PhpRefreshProcessList(
_In_ HWND hwndDlg,
_In_ PCHOOSE_PROCESS_DIALOG_CONTEXT Context
)
{
NTSTATUS status;
HWND lvHandle;
PVOID processes;
PSYSTEM_PROCESS_INFORMATION process;
lvHandle = Context->ListViewHandle;
ListView_DeleteAllItems(lvHandle);
ImageList_RemoveAll(Context->ImageList);
if (!NT_SUCCESS(status = PhEnumProcesses(&processes)))
{
PhShowStatus(hwndDlg, L"Unable to enumerate processes", status, 0);
return;
}
ExtendedListView_SetRedraw(lvHandle, FALSE);
process = PH_FIRST_PROCESS(processes);
do
{
INT lvItemIndex;
PPH_STRING name;
HANDLE processHandle;
PPH_STRING fileName = NULL;
HICON icon = NULL;
WCHAR processIdString[PH_INT32_STR_LEN_1];
PPH_STRING userName = NULL;
INT imageIndex;
if (process->UniqueProcessId != SYSTEM_IDLE_PROCESS_ID)
name = PhCreateStringFromUnicodeString(&process->ImageName);
else
name = PhCreateString(SYSTEM_IDLE_PROCESS_NAME);
lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, name->Buffer, process->UniqueProcessId);
PhDereferenceObject(name);
if (NT_SUCCESS(PhOpenProcess(&processHandle, ProcessQueryAccess, process->UniqueProcessId)))
{
HANDLE tokenHandle;
PTOKEN_USER user;
if (!WINDOWS_HAS_IMAGE_FILE_NAME_BY_PROCESS_ID && process->UniqueProcessId != SYSTEM_PROCESS_ID)
PhGetProcessImageFileName(processHandle, &fileName);
if (NT_SUCCESS(PhOpenProcessToken(&tokenHandle, TOKEN_QUERY, processHandle)))
{
if (NT_SUCCESS(PhGetTokenUser(tokenHandle, &user)))
{
userName = PhGetSidFullName(user->User.Sid, TRUE, NULL);
PhFree(user);
}
NtClose(tokenHandle);
}
NtClose(processHandle);
}
if (process->UniqueProcessId == SYSTEM_IDLE_PROCESS_ID && !userName && PhLocalSystemName)
PhSetReference(&userName, PhLocalSystemName);
if (WINDOWS_HAS_IMAGE_FILE_NAME_BY_PROCESS_ID && process->UniqueProcessId != SYSTEM_PROCESS_ID)
PhGetProcessImageFileNameByProcessId(process->UniqueProcessId, &fileName);
if (process->UniqueProcessId == SYSTEM_PROCESS_ID)
fileName = PhGetKernelFileName();
if (fileName)
PhMoveReference(&fileName, PhGetFileName(fileName));
icon = PhGetFileShellIcon(PhGetString(fileName), L".exe", FALSE);
// Icon
if (icon)
{
imageIndex = ImageList_AddIcon(Context->ImageList, icon);
PhSetListViewItemImageIndex(Context->ListViewHandle, lvItemIndex, imageIndex);
DestroyIcon(icon);
}
// PID
PhPrintUInt32(processIdString, HandleToUlong(process->UniqueProcessId));
PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, processIdString);
// User Name
PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, PhGetString(userName));
if (userName) PhDereferenceObject(userName);
if (fileName) PhDereferenceObject(fileName);
} while (process = PH_NEXT_PROCESS(process));
PhFree(processes);
ExtendedListView_SortItems(lvHandle);
ExtendedListView_SetRedraw(lvHandle, TRUE);
}
static VOID DbgProcessLogMessageEntry(
_Inout_ PPH_DBGEVENTS_CONTEXT Context,
_In_ BOOLEAN GlobalEvents
)
{
NTSTATUS status;
PDBWIN_PAGE_BUFFER debugMessageBuffer;
PDEBUG_LOG_ENTRY entry = NULL;
HANDLE processHandle = NULL;
PPH_STRING fileName = NULL;
HICON icon = NULL;
debugMessageBuffer = GlobalEvents ? Context->GlobalDebugBuffer : Context->LocalDebugBuffer;
entry = PhAllocate(sizeof(DEBUG_LOG_ENTRY));
memset(entry, 0, sizeof(DEBUG_LOG_ENTRY));
PhQuerySystemTime(&entry->Time);
entry->ProcessId = UlongToHandle(debugMessageBuffer->ProcessId);
entry->Message = PhConvertMultiByteToUtf16(debugMessageBuffer->Buffer);
if (WINDOWS_HAS_IMAGE_FILE_NAME_BY_PROCESS_ID)
{
status = PhGetProcessImageFileNameByProcessId(entry->ProcessId, &fileName);
}
else
{
if (NT_SUCCESS(status = PhOpenProcess(&processHandle, ProcessQueryAccess, entry->ProcessId)))
{
status = PhGetProcessImageFileName(processHandle, &fileName);
NtClose(processHandle);
}
}
if (!NT_SUCCESS(status))
fileName = PhGetKernelFileName();
PhSwapReference2(&fileName, PhGetFileName(fileName));
icon = PhGetFileShellIcon(PhGetString(fileName), L".exe", TRUE);
if (icon)
{
entry->ImageIndex = ImageList_AddIcon(Context->ListViewImageList, icon);
DestroyIcon(icon);
}
entry->FilePath = fileName;
entry->ProcessName = PhGetBaseName(fileName);
// Drop event if it matches a filter
for (ULONG i = 0; i < Context->ExcludeList->Count; i++)
{
PDBG_FILTER_TYPE filterEntry = Context->ExcludeList->Items[i];
if (filterEntry->Type == FilterByName)
{
if (PhEqualString(filterEntry->ProcessName, entry->ProcessName, TRUE))
{
DbgFreeLogEntry(entry);
return;
}
}
else if (filterEntry->Type == FilterByPid)
{
if (filterEntry->ProcessId == entry->ProcessId)
{
DbgFreeLogEntry(entry);
return;
}
}
}
DbgAddLogEntry(Context, entry);
}
