VOID NTAPI SystemInformationInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_SYSINFO_POINTERS pluginEntry = (PPH_PLUGIN_SYSINFO_POINTERS)Parameter;
// Disk Drives
PhAcquireQueuedLockShared(&DiskDrivesListLock);
for (ULONG i = 0; i < DiskDrivesList->Count; i++)
{
PDV_DISK_ENTRY entry = PhReferenceObjectSafe(DiskDrivesList->Items[i]);
if (!entry)
continue;
if (entry->DevicePresent)
{
DiskDriveSysInfoInitializing(pluginEntry, entry);
}
}
PhReleaseQueuedLockShared(&DiskDrivesListLock);
// Network Adapters
PhAcquireQueuedLockShared(&NetworkAdaptersListLock);
for (ULONG i = 0; i < NetworkAdaptersList->Count; i++)
{
PDV_NETADAPTER_ENTRY entry = PhReferenceObjectSafe(NetworkAdaptersList->Items[i]);
if (!entry)
continue;
if (entry->DevicePresent)
{
NetAdapterSysInfoInitializing(pluginEntry, entry);
}
}
PhReleaseQueuedLockShared(&NetworkAdaptersListLock);
// Graphics cards
NvGpuSysInfoInitializing(pluginEntry);
}
PET_DISK_ITEM EtReferenceDiskItem(
__in HANDLE ProcessId,
__in PPH_STRING FileName
)
{
ET_DISK_ITEM lookupDiskItem;
PET_DISK_ITEM lookupDiskItemPtr = &lookupDiskItem;
PET_DISK_ITEM *diskItemPtr;
PET_DISK_ITEM diskItem;
lookupDiskItem.ProcessId = ProcessId;
lookupDiskItem.FileName = FileName;
PhAcquireQueuedLockShared(&EtDiskHashtableLock);
diskItemPtr = (PET_DISK_ITEM *)PhFindEntryHashtable(
EtDiskHashtable,
&lookupDiskItemPtr
);
if (diskItemPtr)
{
diskItem = *diskItemPtr;
PhReferenceObject(diskItem);
}
else
{
diskItem = NULL;
}
PhReleaseQueuedLockShared(&EtDiskHashtableLock);
return diskItem;
}
PPH_STRING EtFileObjectToFileName(
__in PVOID FileObject
)
{
PH_KEY_VALUE_PAIR pair;
PPH_KEY_VALUE_PAIR realPair;
PPH_STRING fileName;
pair.Key = FileObject;
fileName = NULL;
PhAcquireQueuedLockShared(&EtFileNameHashtableLock);
realPair = PhFindEntryHashtable(EtFileNameHashtable, &pair);
if (realPair)
{
fileName = realPair->Value;
PhReferenceObject(fileName);
}
PhReleaseQueuedLockShared(&EtFileNameHashtableLock);
return fileName;
}
VOID NTAPI ProcessesUpdatedCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PBOXED_PROCESS boxedProcess;
ULONG enumerationKey = 0;
if (BoxedProcessesUpdated)
{
// Invalidate the nodes of boxed processes (so they use the correct highlighting color).
PhAcquireQueuedLockShared(&BoxedProcessesLock);
if (BoxedProcessesUpdated)
{
while (PhEnumHashtable(BoxedProcessesHashtable, &boxedProcess, &enumerationKey))
{
PPH_PROCESS_NODE processNode;
if (processNode = PhFindProcessNode(boxedProcess->ProcessId))
PhUpdateProcessNode(processNode);
}
BoxedProcessesUpdated = FALSE;
}
PhReleaseQueuedLockShared(&BoxedProcessesLock);
}
}
PET_DISK_ITEM EtReferenceDiskItem(
_In_ HANDLE ProcessId,
_In_ PPH_STRING FileName
)
{
ET_DISK_ITEM lookupDiskItem;
PET_DISK_ITEM lookupDiskItemPtr = &lookupDiskItem;
PET_DISK_ITEM *diskItemPtr;
PET_DISK_ITEM diskItem;
lookupDiskItem.ProcessId = ProcessId;
lookupDiskItem.FileName = FileName;
PhAcquireQueuedLockShared(&EtDiskHashtableLock);
diskItemPtr = (PET_DISK_ITEM *)PhFindEntryHashtable(
EtDiskHashtable,
&lookupDiskItemPtr
);
if (diskItemPtr)
PhSetReference(&diskItem, *diskItemPtr);
else
diskItem = NULL;
PhReleaseQueuedLockShared(&EtDiskHashtableLock);
return diskItem;
}
_May_raise_ PH_INTEGER_PAIR PhGetIntegerPairSetting(
_In_ PWSTR Name
)
{
PPH_SETTING setting;
PH_STRINGREF name;
PH_INTEGER_PAIR value;
PhInitializeStringRef(&name, Name);
PhAcquireQueuedLockShared(&PhSettingsLock);
setting = PhpLookupSetting(&name);
if (setting && setting->Type == IntegerPairSettingType)
{
value = setting->u.IntegerPair;
}
else
{
setting = NULL;
}
PhReleaseQueuedLockShared(&PhSettingsLock);
if (!setting)
PhRaiseStatus(STATUS_NOT_FOUND);
return value;
}
LRESULT CALLBACK MainWndDevicesSubclassProc(
_In_ HWND hWnd,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam,
_In_ UINT_PTR uIdSubclass,
_In_ ULONG_PTR dwRefData
)
{
// The IOCTL_MOUNTMGR_CHANGE_NOTIFY callback would have been preferred but doesn't work from non-elevated processes?
switch (uMsg)
{
case WM_DEVICECHANGE:
{
switch (wParam)
{
case DBT_DEVICEARRIVAL: // Drive letter added
case DBT_DEVICEREMOVECOMPLETE: // Drive letter removed
{
DEV_BROADCAST_HDR* deviceBroadcast = (DEV_BROADCAST_HDR*)lParam;
if (deviceBroadcast->dbch_devicetype == DBT_DEVTYP_VOLUME)
{
//DEV_BROADCAST_VOLUME* deviceVolume = (DEV_BROADCAST_VOLUME*)deviceBroadcast;
PhAcquireQueuedLockShared(&DiskDrivesListLock);
for (ULONG i = 0; i < DiskDrivesList->Count; i++)
{
PDV_DISK_ENTRY entry;
entry = PhReferenceObjectSafe(DiskDrivesList->Items[i]);
if (!entry)
continue;
// Reset the DiskIndexName so we can re-query the device letter on the next interval update.
PhClearReference(&entry->DiskIndexName);
PhDereferenceObjectDeferDelete(entry);
}
PhReleaseQueuedLockShared(&DiskDrivesListLock);
}
}
}
goto DefaultWndProc;
}
break;
}
return DefSubclassProc(hWnd, uMsg, wParam, lParam);
DefaultWndProc:
return DefWindowProc(hWnd, uMsg, wParam, lParam);
}
HANDLE EtThreadIdToProcessId(
_In_ HANDLE ThreadId
)
{
PSYSTEM_PROCESS_INFORMATION process;
ULONG i;
HANDLE processId;
PhAcquireQueuedLockShared(&EtpProcessInformationLock);
if (!EtpProcessInformation)
{
PhReleaseQueuedLockShared(&EtpProcessInformationLock);
return SYSTEM_PROCESS_ID;
}
process = PH_FIRST_PROCESS(EtpProcessInformation);
do
{
for (i = 0; i < process->NumberOfThreads; i++)
{
if (process->Threads[i].ClientId.UniqueThread == ThreadId)
{
processId = process->UniqueProcessId;
PhReleaseQueuedLockShared(&EtpProcessInformationLock);
return processId;
}
}
} while (process = PH_NEXT_PROCESS(process));
PhReleaseQueuedLockShared(&EtpProcessInformationLock);
return SYSTEM_PROCESS_ID;
}
_May_raise_ PH_SCALABLE_INTEGER_PAIR PhGetScalableIntegerPairSetting(
_In_ PWSTR Name,
_In_ BOOLEAN ScaleToCurrent
)
{
PPH_SETTING setting;
PH_STRINGREF name;
PH_SCALABLE_INTEGER_PAIR value;
PhInitializeStringRef(&name, Name);
PhAcquireQueuedLockShared(&PhSettingsLock);
setting = PhpLookupSetting(&name);
if (setting && setting->Type == ScalableIntegerPairSettingType)
{
value = *(PPH_SCALABLE_INTEGER_PAIR)setting->u.Pointer;
}
else
{
setting = NULL;
}
PhReleaseQueuedLockShared(&PhSettingsLock);
if (!setting)
PhRaiseStatus(STATUS_NOT_FOUND);
if (ScaleToCurrent)
{
ULONG currentScale;
currentScale = PhpGetCurrentScale();
if (value.Scale != currentScale && value.Scale != 0)
{
value.X = PhMultiplyDivideSigned(value.X, currentScale, value.Scale);
value.Y = PhMultiplyDivideSigned(value.Y, currentScale, value.Scale);
value.Scale = currentScale;
}
}
return value;
}
PPH_HANDLE_ITEM PhReferenceHandleItem(
_In_ PPH_HANDLE_PROVIDER HandleProvider,
_In_ HANDLE Handle
)
{
PPH_HANDLE_ITEM handleItem;
PhAcquireQueuedLockShared(&HandleProvider->HandleHashSetLock);
handleItem = PhpLookupHandleItem(HandleProvider, Handle);
if (handleItem)
PhReferenceObject(handleItem);
PhReleaseQueuedLockShared(&HandleProvider->HandleHashSetLock);
return handleItem;
}
static VOID FindNetworkAdapters(
_In_ PDV_NETADAPTER_CONTEXT Context,
_In_ BOOLEAN ShowHiddenAdapters
)
{
ULONG bufferLength = 0;
PVOID buffer = NULL;
ULONG flags = GAA_FLAG_SKIP_UNICAST | GAA_FLAG_SKIP_ANYCAST | GAA_FLAG_SKIP_MULTICAST | GAA_FLAG_SKIP_DNS_SERVER;
if (ShowHiddenAdapters && WindowsVersion >= WINDOWS_VISTA)
{
flags |= GAA_FLAG_INCLUDE_ALL_INTERFACES;
}
__try
{
if (GetAdaptersAddresses(AF_UNSPEC, flags, NULL, NULL, &bufferLength) != ERROR_BUFFER_OVERFLOW)
__leave;
buffer = PhAllocate(bufferLength);
memset(buffer, 0, bufferLength);
if (GetAdaptersAddresses(AF_UNSPEC, flags, NULL, buffer, &bufferLength) == ERROR_SUCCESS)
{
PhAcquireQueuedLockShared(&NetworkAdaptersListLock);
for (PIP_ADAPTER_ADDRESSES i = buffer; i; i = i->Next)
{
//if (addressesBuffer->IfType != IF_TYPE_SOFTWARE_LOOPBACK)
AddNetworkAdapterToListView(Context, i);
}
PhReleaseQueuedLockShared(&NetworkAdaptersListLock);
}
}
__finally
{
if (buffer)
{
PhFree(buffer);
}
}
}
VOID NTAPI MenuItemCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PPH_PLUGIN_MENU_ITEM menuItem = Parameter;
switch (menuItem->Id)
{
case 1:
{
if (PhShowConfirmMessage(
PhMainWndHandle,
L"terminate",
L"all sandboxed processes",
NULL,
FALSE
))
{
PBOXED_PROCESS boxedProcess;
ULONG enumerationKey = 0;
// Make sure we have an update-to-date list.
RefreshSandboxieInfo(NULL, FALSE);
PhAcquireQueuedLockShared(&BoxedProcessesLock);
while (PhEnumHashtable(BoxedProcessesHashtable, &boxedProcess, &enumerationKey))
{
HANDLE processHandle;
if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_TERMINATE, boxedProcess->ProcessId)))
{
PhTerminateProcess(processHandle, STATUS_SUCCESS);
NtClose(processHandle);
}
}
PhReleaseQueuedLockShared(&BoxedProcessesLock);
}
}
break;
}
}
BOOLEAN FindDiskEntry(
_In_ PDV_DISK_ID Id,
_In_ BOOLEAN RemoveUserReference
)
{
BOOLEAN found = FALSE;
PhAcquireQueuedLockShared(&DiskDrivesListLock);
for (ULONG i = 0; i < DiskDrivesList->Count; i++)
{
PDV_DISK_ENTRY currentEntry = PhReferenceObjectSafe(DiskDrivesList->Items[i]);
if (!currentEntry)
continue;
found = EquivalentDiskId(¤tEntry->Id, Id);
if (found)
{
if (RemoveUserReference)
{
if (currentEntry->UserReference)
{
PhDereferenceObjectDeferDelete(currentEntry);
currentEntry->UserReference = FALSE;
}
}
PhDereferenceObjectDeferDelete(currentEntry);
break;
}
else
{
PhDereferenceObjectDeferDelete(currentEntry);
}
}
PhReleaseQueuedLockShared(&DiskDrivesListLock);
return found;
}
static BOOLEAN FindAdapterEntry(
_In_ PDV_NETADAPTER_ID Id,
_In_ BOOLEAN RemoveUserReference
)
{
BOOLEAN found = FALSE;
PhAcquireQueuedLockShared(&NetworkAdaptersListLock);
for (ULONG i = 0; i < NetworkAdaptersList->Count; i++)
{
PDV_NETADAPTER_ENTRY currentEntry = PhReferenceObjectSafe(NetworkAdaptersList->Items[i]);
if (!currentEntry)
continue;
found = EquivalentNetAdapterId(¤tEntry->Id, Id);
if (found)
{
if (RemoveUserReference)
{
if (currentEntry->UserReference)
{
PhDereferenceObjectDeferDelete(currentEntry);
currentEntry->UserReference = FALSE;
}
}
PhDereferenceObjectDeferDelete(currentEntry);
break;
}
else
{
PhDereferenceObjectDeferDelete(currentEntry);
}
}
PhReleaseQueuedLockShared(&NetworkAdaptersListLock);
return found;
}
_May_raise_ PPH_STRING PhGetStringSetting(
_In_ PWSTR Name
)
{
PPH_SETTING setting;
PH_STRINGREF name;
PPH_STRING value;
PhInitializeStringRef(&name, Name);
PhAcquireQueuedLockShared(&PhSettingsLock);
setting = PhpLookupSetting(&name);
if (setting && setting->Type == StringSettingType)
{
if (setting->u.Pointer)
{
PhSetReference(&value, setting->u.Pointer);
}
else
{
// Set to NULL, create an empty string
// outside of the lock.
value = NULL;
}
}
else
{
setting = NULL;
}
PhReleaseQueuedLockShared(&PhSettingsLock);
if (!setting)
PhRaiseStatus(STATUS_NOT_FOUND);
if (!value)
value = PhReferenceEmptyString();
return value;
}
VOID NTAPI GetProcessTooltipTextCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PPH_PLUGIN_GET_TOOLTIP_TEXT getTooltipText = Parameter;
BOXED_PROCESS lookupBoxedProcess;
PBOXED_PROCESS boxedProcess;
PhAcquireQueuedLockShared(&BoxedProcessesLock);
lookupBoxedProcess.ProcessId = ((PPH_PROCESS_ITEM)getTooltipText->Parameter)->ProcessId;
if (boxedProcess = PhFindEntryHashtable(BoxedProcessesHashtable, &lookupBoxedProcess))
{
PhAppendFormatStringBuilder(getTooltipText->StringBuilder, L"Sandboxie:\n Box name: %s\n", boxedProcess->BoxName);
}
PhReleaseQueuedLockShared(&BoxedProcessesLock);
}
static VOID NTAPI SystemInformationInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_SYSINFO_POINTERS pluginEntry = (PPH_PLUGIN_SYSINFO_POINTERS)Parameter;
PhAcquireQueuedLockShared(&NetworkAdaptersListLock);
for (ULONG i = 0; i < NetworkAdaptersList->Count; i++)
{
PDV_NETADAPTER_ENTRY entry = PhReferenceObjectSafe(NetworkAdaptersList->Items[i]);
if (!entry)
continue;
NetAdapterSysInfoInitializing(pluginEntry, entry);
}
PhReleaseQueuedLockShared(&NetworkAdaptersListLock);
}
PPH_SERVICE_ITEM PhReferenceServiceItem(
_In_ PWSTR Name
)
{
PPH_SERVICE_ITEM serviceItem;
PH_STRINGREF key;
// Construct a temporary service item for the lookup.
PhInitializeStringRef(&key, Name);
PhAcquireQueuedLockShared(&PhServiceHashtableLock);
serviceItem = PhpLookupServiceItem(&key);
if (serviceItem)
PhReferenceObject(serviceItem);
PhReleaseQueuedLockShared(&PhServiceHashtableLock);
return serviceItem;
}
VOID NetAdaptersSaveList(
VOID
)
{
PH_STRING_BUILDER stringBuilder;
PPH_STRING settingsString;
PhInitializeStringBuilder(&stringBuilder, 260);
PhAcquireQueuedLockShared(&NetworkAdaptersListLock);
for (ULONG i = 0; i < NetworkAdaptersList->Count; i++)
{
PDV_NETADAPTER_ENTRY entry = PhReferenceObjectSafe(NetworkAdaptersList->Items[i]);
if (!entry)
continue;
if (entry->UserReference)
{
PhAppendFormatStringBuilder(
&stringBuilder,
L"%lu,%I64u,%s,",
entry->AdapterId.InterfaceIndex, // This value is UNSAFE and will change after reboot.
entry->AdapterId.InterfaceLuid.Value, // This value is SAFE and does not change (Vista+).
entry->AdapterId.InterfaceGuid->Buffer
);
}
PhDereferenceObjectDeferDelete(entry);
}
PhReleaseQueuedLockShared(&NetworkAdaptersListLock);
if (stringBuilder.String->Length != 0)
PhRemoveEndStringBuilder(&stringBuilder, 1);
settingsString = PH_AUTO(PhFinalStringBuilderString(&stringBuilder));
PhSetStringSetting2(SETTING_NAME_INTERFACE_LIST, &settingsString->sr);
}
VOID NTAPI GetProcessHighlightingColorCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PPH_PLUGIN_GET_HIGHLIGHTING_COLOR getHighlightingColor = Parameter;
BOXED_PROCESS lookupBoxedProcess;
PBOXED_PROCESS boxedProcess;
PhAcquireQueuedLockShared(&BoxedProcessesLock);
lookupBoxedProcess.ProcessId = ((PPH_PROCESS_ITEM)getHighlightingColor->Parameter)->ProcessId;
if (boxedProcess = PhFindEntryHashtable(BoxedProcessesHashtable, &lookupBoxedProcess))
{
getHighlightingColor->BackColor = RGB(0x33, 0x33, 0x00);
getHighlightingColor->Cache = TRUE;
getHighlightingColor->Handled = TRUE;
}
PhReleaseQueuedLockShared(&BoxedProcessesLock);
}
VOID DiskDrivesSaveList(
VOID
)
{
PH_STRING_BUILDER stringBuilder;
PPH_STRING settingsString;
PhInitializeStringBuilder(&stringBuilder, 260);
PhAcquireQueuedLockShared(&DiskDrivesListLock);
for (ULONG i = 0; i < DiskDrivesList->Count; i++)
{
PDV_DISK_ENTRY entry = PhReferenceObjectSafe(DiskDrivesList->Items[i]);
if (!entry)
continue;
if (entry->UserReference)
{
PhAppendFormatStringBuilder(
&stringBuilder,
L"%s,",
entry->Id.DevicePath->Buffer // This value is SAFE and does not change.
);
}
PhDereferenceObjectDeferDelete(entry);
}
PhReleaseQueuedLockShared(&DiskDrivesListLock);
if (stringBuilder.String->Length != 0)
PhRemoveEndStringBuilder(&stringBuilder, 1);
settingsString = PH_AUTO(PhFinalStringBuilderString(&stringBuilder));
PhSetStringSetting2(SETTING_NAME_DISK_LIST, &settingsString->sr);
}
ULONG64 PhGetModuleFromAddress(
_In_ PPH_SYMBOL_PROVIDER SymbolProvider,
_In_ ULONG64 Address,
_Out_opt_ PPH_STRING *FileName
)
{
PH_SYMBOL_MODULE lookupModule;
PPH_AVL_LINKS links;
PPH_SYMBOL_MODULE module;
LONG result;
PPH_STRING foundFileName;
ULONG64 foundBaseAddress;
module = NULL;
foundFileName = NULL;
foundBaseAddress = 0;
// Do an approximate search on the modules set to locate the module with the largest
// base address that is still smaller than the given address.
lookupModule.BaseAddress = Address;
PhAcquireQueuedLockShared(&SymbolProvider->ModulesListLock);
links = PhFindElementAvlTree2(&SymbolProvider->ModulesSet, &lookupModule.Links, &result);
if (links)
{
if (result == 0)
{
// Exact match.
}
else if (result < 0)
{
// The base of the closest module is larger than our address. Assume the
// preceding element (which is going to be smaller than our address) is the
// one we're looking for.
links = PhPredecessorElementAvlTree(links);
}
else
{
// The base of the closest module is smaller than our address. Assume this
// is the element we're looking for.
}
if (links)
{
module = CONTAINING_RECORD(links, PH_SYMBOL_MODULE, Links);
}
}
else
{
// No modules loaded.
}
if (module && Address < module->BaseAddress + module->Size)
{
foundFileName = module->FileName;
PhReferenceObject(foundFileName);
foundBaseAddress = module->BaseAddress;
}
PhReleaseQueuedLockShared(&SymbolProvider->ModulesListLock);
if (foundFileName)
{
if (FileName)
{
*FileName = foundFileName;
}
else
{
PhDereferenceObject(foundFileName);
}
}
return foundBaseAddress;
}
NTSTATUS PhSaveSettings(
_In_ PWSTR FileName
)
{
NTSTATUS status;
HANDLE fileHandle;
mxml_node_t *topNode;
PH_HASHTABLE_ENUM_CONTEXT enumContext;
PPH_SETTING setting;
topNode = mxmlNewElement(MXML_NO_PARENT, "settings");
PhAcquireQueuedLockShared(&PhSettingsLock);
PhBeginEnumHashtable(PhSettingsHashtable, &enumContext);
while (setting = PhNextEnumHashtable(&enumContext))
{
PPH_STRING settingValue;
settingValue = PhpSettingToString(setting->Type, setting);
PhpCreateSettingElement(topNode, &setting->Name, &settingValue->sr);
PhDereferenceObject(settingValue);
}
// Write the ignored settings.
{
ULONG i;
for (i = 0; i < PhIgnoredSettings->Count; i++)
{
PPH_STRING settingValue;
setting = PhIgnoredSettings->Items[i];
settingValue = setting->u.Pointer;
PhpCreateSettingElement(topNode, &setting->Name, &settingValue->sr);
}
}
PhReleaseQueuedLockShared(&PhSettingsLock);
// Create the directory if it does not exist.
{
PPH_STRING fullPath;
ULONG indexOfFileName;
PPH_STRING directoryName;
fullPath = PhGetFullPath(FileName, &indexOfFileName);
if (fullPath)
{
if (indexOfFileName != -1)
{
directoryName = PhSubstring(fullPath, 0, indexOfFileName);
//SHCreateDirectoryEx(NULL, directoryName->Buffer, NULL);
PhDereferenceObject(directoryName);
}
PhDereferenceObject(fullPath);
}
}
status = PhCreateFileWin32(
&fileHandle,
FileName,
FILE_GENERIC_WRITE,
0,
FILE_SHARE_READ,
FILE_OVERWRITE_IF,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT
);
if (!NT_SUCCESS(status))
{
mxmlDelete(topNode);
return status;
}
mxmlSaveFd(topNode, fileHandle, PhpSettingsSaveCallback);
mxmlDelete(topNode);
NtClose(fileHandle);
return STATUS_SUCCESS;
}
PPH_STRING PhGetProcessTooltipText(
_In_ PPH_PROCESS_ITEM Process,
_Out_opt_ PULONG ValidToTickCount
)
{
PH_STRING_BUILDER stringBuilder;
ULONG validForMs = 60 * 60 * 1000; // 1 hour
PPH_STRING tempString;
PH_KNOWN_PROCESS_TYPE knownProcessType = UnknownProcessType;
PhInitializeStringBuilder(&stringBuilder, 200);
// Command line
if (Process->CommandLine)
{
tempString = PhEllipsisString(Process->CommandLine, 100 * 10);
// This is necessary because the tooltip control seems to use some kind of O(n^9999) word-wrapping
// algorithm.
PhpAppendStringWithLineBreaks(&stringBuilder, &tempString->sr, 100, NULL);
PhAppendCharStringBuilder(&stringBuilder, '\n');
PhDereferenceObject(tempString);
}
// File information
tempString = PhFormatImageVersionInfo(
Process->FileName,
&Process->VersionInfo,
&StandardIndent,
0
);
if (!PhIsNullOrEmptyString(tempString))
{
PhAppendStringBuilder2(&stringBuilder, L"File:\n");
PhAppendStringBuilder(&stringBuilder, &tempString->sr);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (tempString)
PhDereferenceObject(tempString);
// Known command line information
if (Process->QueryHandle)
PhGetProcessKnownType(Process->QueryHandle, &knownProcessType);
if (Process->CommandLine && Process->QueryHandle)
{
PH_KNOWN_PROCESS_COMMAND_LINE knownCommandLine;
if (knownProcessType != UnknownProcessType && PhaGetProcessKnownCommandLine(
Process->CommandLine,
knownProcessType,
&knownCommandLine
))
{
switch (knownProcessType & KnownProcessTypeMask)
{
case ServiceHostProcessType:
PhAppendStringBuilder2(&stringBuilder, L"Service group name:\n ");
PhAppendStringBuilder(&stringBuilder, &knownCommandLine.ServiceHost.GroupName->sr);
PhAppendCharStringBuilder(&stringBuilder, '\n');
break;
case RunDllAsAppProcessType:
{
PH_IMAGE_VERSION_INFO versionInfo;
if (PhInitializeImageVersionInfo(
&versionInfo,
knownCommandLine.RunDllAsApp.FileName->Buffer
))
{
tempString = PhFormatImageVersionInfo(
knownCommandLine.RunDllAsApp.FileName,
&versionInfo,
&StandardIndent,
0
);
if (!PhIsNullOrEmptyString(tempString))
{
PhAppendStringBuilder2(&stringBuilder, L"Run DLL target file:\n");
PhAppendStringBuilder(&stringBuilder, &tempString->sr);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (tempString)
PhDereferenceObject(tempString);
PhDeleteImageVersionInfo(&versionInfo);
}
}
break;
case ComSurrogateProcessType:
{
PH_IMAGE_VERSION_INFO versionInfo;
PPH_STRING guidString;
PhAppendStringBuilder2(&stringBuilder, L"COM target:\n");
if (knownCommandLine.ComSurrogate.Name)
{
PhAppendStringBuilder(&stringBuilder, &StandardIndent);
PhAppendStringBuilder(&stringBuilder, &knownCommandLine.ComSurrogate.Name->sr);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (guidString = PhFormatGuid(&knownCommandLine.ComSurrogate.Guid))
{
PhAppendStringBuilder(&stringBuilder, &StandardIndent);
PhAppendStringBuilder(&stringBuilder, &guidString->sr);
PhDereferenceObject(guidString);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (knownCommandLine.ComSurrogate.FileName && PhInitializeImageVersionInfo(
&versionInfo,
knownCommandLine.ComSurrogate.FileName->Buffer
))
{
tempString = PhFormatImageVersionInfo(
knownCommandLine.ComSurrogate.FileName,
&versionInfo,
&StandardIndent,
0
);
if (!PhIsNullOrEmptyString(tempString))
{
PhAppendStringBuilder2(&stringBuilder, L"COM target file:\n");
PhAppendStringBuilder(&stringBuilder, &tempString->sr);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (tempString)
PhDereferenceObject(tempString);
PhDeleteImageVersionInfo(&versionInfo);
}
}
break;
}
}
}
// Services
if (Process->ServiceList && Process->ServiceList->Count != 0)
{
ULONG enumerationKey = 0;
PPH_SERVICE_ITEM serviceItem;
PPH_LIST serviceList;
ULONG i;
// Copy the service list into our own list so we can sort it.
serviceList = PhCreateList(Process->ServiceList->Count);
PhAcquireQueuedLockShared(&Process->ServiceListLock);
while (PhEnumPointerList(
Process->ServiceList,
&enumerationKey,
&serviceItem
))
{
PhReferenceObject(serviceItem);
PhAddItemList(serviceList, serviceItem);
}
PhReleaseQueuedLockShared(&Process->ServiceListLock);
qsort(serviceList->Items, serviceList->Count, sizeof(PPH_SERVICE_ITEM), ServiceForTooltipCompare);
PhAppendStringBuilder2(&stringBuilder, L"Services:\n");
// Add the services.
for (i = 0; i < serviceList->Count; i++)
{
serviceItem = serviceList->Items[i];
PhAppendStringBuilder(&stringBuilder, &StandardIndent);
PhAppendStringBuilder(&stringBuilder, &serviceItem->Name->sr);
PhAppendStringBuilder2(&stringBuilder, L" (");
PhAppendStringBuilder(&stringBuilder, &serviceItem->DisplayName->sr);
PhAppendStringBuilder2(&stringBuilder, L")\n");
}
PhDereferenceObjects(serviceList->Items, serviceList->Count);
PhDereferenceObject(serviceList);
}
// Tasks, Drivers
switch (knownProcessType & KnownProcessTypeMask)
{
case TaskHostProcessType:
{
PH_STRING_BUILDER tasks;
PhInitializeStringBuilder(&tasks, 40);
PhpFillRunningTasks(Process, &tasks);
if (tasks.String->Length != 0)
{
PhAppendStringBuilder2(&stringBuilder, L"Tasks:\n");
PhAppendStringBuilder(&stringBuilder, &tasks.String->sr);
}
PhDeleteStringBuilder(&tasks);
}
break;
case UmdfHostProcessType:
{
PH_STRING_BUILDER drivers;
PhInitializeStringBuilder(&drivers, 40);
PhpFillUmdfDrivers(Process, &drivers);
if (drivers.String->Length != 0)
{
PhAppendStringBuilder2(&stringBuilder, L"Drivers:\n");
PhAppendStringBuilder(&stringBuilder, &drivers.String->sr);
}
PhDeleteStringBuilder(&drivers);
validForMs = 10 * 1000; // 10 seconds
}
break;
}
// Plugin
if (PhPluginsEnabled)
{
PH_PLUGIN_GET_TOOLTIP_TEXT getTooltipText;
getTooltipText.Parameter = Process;
getTooltipText.StringBuilder = &stringBuilder;
getTooltipText.ValidForMs = validForMs;
PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackGetProcessTooltipText), &getTooltipText);
validForMs = getTooltipText.ValidForMs;
}
// Notes
{
PH_STRING_BUILDER notes;
PhInitializeStringBuilder(¬es, 40);
if (Process->FileName)
{
if (Process->VerifyResult == VrTrusted)
{
if (!PhIsNullOrEmptyString(Process->VerifySignerName))
PhAppendFormatStringBuilder(¬es, L" Signer: %s\n", Process->VerifySignerName->Buffer);
else
PhAppendStringBuilder2(¬es, L" Signed.\n");
}
else if (Process->VerifyResult == VrUnknown)
{
// Nothing
}
else if (Process->VerifyResult != VrNoSignature)
{
PhAppendStringBuilder2(¬es, L" Signature invalid.\n");
}
}
if (Process->IsPacked)
{
PhAppendFormatStringBuilder(
¬es,
L" Image is probably packed (%u imports over %u modules).\n",
Process->ImportFunctions,
Process->ImportModules
);
}
if ((ULONG_PTR)Process->ConsoleHostProcessId & ~3)
{
CLIENT_ID clientId;
PWSTR description = L"Console host";
PPH_STRING clientIdString;
clientId.UniqueProcess = (HANDLE)((ULONG_PTR)Process->ConsoleHostProcessId & ~3);
clientId.UniqueThread = NULL;
if ((ULONG_PTR)Process->ConsoleHostProcessId & 2)
description = L"Console application";
clientIdString = PhGetClientIdName(&clientId);
PhAppendFormatStringBuilder(¬es, L" %s: %s\n", description, clientIdString->Buffer);
PhDereferenceObject(clientIdString);
}
if (Process->PackageFullName)
{
PhAppendFormatStringBuilder(¬es, L" Package name: %s\n", Process->PackageFullName->Buffer);
}
if (Process->IsDotNet)
PhAppendStringBuilder2(¬es, L" Process is managed (.NET).\n");
if (Process->IsElevated)
PhAppendStringBuilder2(¬es, L" Process is elevated.\n");
if (Process->IsImmersive)
PhAppendStringBuilder2(¬es, L" Process is a Modern UI app.\n");
if (Process->IsInJob)
PhAppendStringBuilder2(¬es, L" Process is in a job.\n");
if (Process->IsPosix)
PhAppendStringBuilder2(¬es, L" Process is POSIX.\n");
if (Process->IsWow64)
PhAppendStringBuilder2(¬es, L" Process is 32-bit (WOW64).\n");
if (notes.String->Length != 0)
{
PhAppendStringBuilder2(&stringBuilder, L"Notes:\n");
PhAppendStringBuilder(&stringBuilder, ¬es.String->sr);
}
PhDeleteStringBuilder(¬es);
}
if (ValidToTickCount)
*ValidToTickCount = GetTickCount() + validForMs;
// Remove the trailing newline.
if (stringBuilder.String->Length != 0)
PhRemoveEndStringBuilder(&stringBuilder, 1);
return PhFinalStringBuilderString(&stringBuilder);
}
VOID NetAdaptersUpdate(
VOID
)
{
static ULONG runCount = 0; // MUST keep in sync with runCount in process provider
PhAcquireQueuedLockShared(&NetworkAdaptersListLock);
for (ULONG i = 0; i < NetworkAdaptersList->Count; i++)
{
HANDLE deviceHandle = NULL;
PDV_NETADAPTER_ENTRY entry;
ULONG64 networkInOctets = 0;
ULONG64 networkOutOctets = 0;
ULONG64 networkRcvSpeed = 0;
ULONG64 networkXmitSpeed = 0;
NDIS_MEDIA_CONNECT_STATE mediaState = MediaConnectStateUnknown;
entry = PhReferenceObjectSafe(NetworkAdaptersList->Items[i]);
if (!entry)
continue;
if (PhGetIntegerSetting(SETTING_NAME_ENABLE_NDIS))
{
if (NT_SUCCESS(NetworkAdapterCreateHandle(&deviceHandle, entry->Id.InterfaceGuid)))
{
if (!entry->CheckedDeviceSupport)
{
// Check the network adapter supports the OIDs we're going to be using.
if (NetworkAdapterQuerySupported(deviceHandle))
{
entry->DeviceSupported = TRUE;
}
entry->CheckedDeviceSupport = TRUE;
}
if (!entry->DeviceSupported)
{
// Device is faulty. Close the handle so we can fallback to GetIfEntry.
NtClose(deviceHandle);
deviceHandle = NULL;
}
}
}
if (deviceHandle)
{
NDIS_STATISTICS_INFO interfaceStats;
NDIS_LINK_STATE interfaceState;
memset(&interfaceStats, 0, sizeof(NDIS_STATISTICS_INFO));
NetworkAdapterQueryStatistics(deviceHandle, &interfaceStats);
if (NT_SUCCESS(NetworkAdapterQueryLinkState(deviceHandle, &interfaceState)))
{
mediaState = interfaceState.MediaConnectState;
}
if (!(interfaceStats.SupportedStatistics & NDIS_STATISTICS_FLAGS_VALID_BYTES_RCV))
networkInOctets = NetworkAdapterQueryValue(deviceHandle, OID_GEN_BYTES_RCV);
else
networkInOctets = interfaceStats.ifHCInOctets;
if (!(interfaceStats.SupportedStatistics & NDIS_STATISTICS_FLAGS_VALID_BYTES_XMIT))
networkOutOctets = NetworkAdapterQueryValue(deviceHandle, OID_GEN_BYTES_XMIT);
else
networkOutOctets = interfaceStats.ifHCOutOctets;
networkRcvSpeed = networkInOctets - entry->LastInboundValue;
networkXmitSpeed = networkOutOctets - entry->LastOutboundValue;
// HACK: Pull the Adapter name from the current query.
if (!entry->AdapterName)
{
entry->AdapterName = NetworkAdapterQueryName(deviceHandle, entry->Id.InterfaceGuid);
}
entry->DevicePresent = TRUE;
NtClose(deviceHandle);
}
else
{
MIB_IF_ROW2 interfaceRow;
if (QueryInterfaceRow(&entry->Id, &interfaceRow))
{
networkInOctets = interfaceRow.InOctets;
networkOutOctets = interfaceRow.OutOctets;
mediaState = interfaceRow.MediaConnectState;
networkRcvSpeed = networkInOctets - entry->LastInboundValue;
networkXmitSpeed = networkOutOctets - entry->LastOutboundValue;
// HACK: Pull the Adapter name from the current query.
if (!entry->AdapterName && PhCountStringZ(interfaceRow.Description) > 0)
{
entry->AdapterName = PhCreateString(interfaceRow.Description);
}
entry->DevicePresent = TRUE;
}
else
{
entry->DevicePresent = FALSE;
}
}
if (mediaState == MediaConnectStateUnknown)
{
// We don't want incorrect data when the adapter is disabled.
networkRcvSpeed = 0;
networkXmitSpeed = 0;
}
if (!entry->HaveFirstSample)
{
// The first sample must be zero.
networkRcvSpeed = 0;
networkXmitSpeed = 0;
entry->HaveFirstSample = TRUE;
}
if (runCount != 0)
{
PhAddItemCircularBuffer_ULONG64(&entry->InboundBuffer, networkRcvSpeed);
PhAddItemCircularBuffer_ULONG64(&entry->OutboundBuffer, networkXmitSpeed);
}
//context->LinkSpeed = networkLinkSpeed;
entry->InboundValue = networkRcvSpeed;
entry->OutboundValue = networkXmitSpeed;
entry->LastInboundValue = networkInOctets;
entry->LastOutboundValue = networkOutOctets;
PhDereferenceObjectDeferDelete(entry);
}
PhReleaseQueuedLockShared(&NetworkAdaptersListLock);
runCount++;
}
PPH_STRING PhGetProcessTooltipText(
__in PPH_PROCESS_ITEM Process
)
{
PH_STRING_BUILDER stringBuilder;
PPH_STRING tempString;
PhInitializeStringBuilder(&stringBuilder, 200);
// Command line
if (Process->CommandLine)
{
PhAppendStringBuilder(&stringBuilder, Process->CommandLine);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
// File information
tempString = PhFormatImageVersionInfo(
Process->FileName,
&Process->VersionInfo,
L" ",
0
);
if (!PhIsNullOrEmptyString(tempString))
{
PhAppendStringBuilder2(&stringBuilder, L"File:\n");
PhAppendStringBuilder(&stringBuilder, tempString);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (tempString)
PhDereferenceObject(tempString);
// Known command line information
if (Process->CommandLine && Process->QueryHandle)
{
PH_KNOWN_PROCESS_TYPE knownProcessType;
PH_KNOWN_PROCESS_COMMAND_LINE knownCommandLine;
if (NT_SUCCESS(PhGetProcessKnownType(
Process->QueryHandle,
&knownProcessType
)) && PhaGetProcessKnownCommandLine(
Process->CommandLine,
knownProcessType,
&knownCommandLine
))
{
switch (knownProcessType & KnownProcessTypeMask)
{
case ServiceHostProcessType:
PhAppendStringBuilder2(&stringBuilder, L"Service group name:\n ");
PhAppendStringBuilder(&stringBuilder, knownCommandLine.ServiceHost.GroupName);
PhAppendCharStringBuilder(&stringBuilder, '\n');
break;
case RunDllAsAppProcessType:
{
PH_IMAGE_VERSION_INFO versionInfo;
if (PhInitializeImageVersionInfo(
&versionInfo,
knownCommandLine.RunDllAsApp.FileName->Buffer
))
{
tempString = PhFormatImageVersionInfo(
knownCommandLine.RunDllAsApp.FileName,
&versionInfo,
L" ",
0
);
if (!PhIsNullOrEmptyString(tempString))
{
PhAppendStringBuilder2(&stringBuilder, L"Run DLL target file:\n");
PhAppendStringBuilder(&stringBuilder, tempString);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (tempString)
PhDereferenceObject(tempString);
PhDeleteImageVersionInfo(&versionInfo);
}
}
break;
case ComSurrogateProcessType:
{
PH_IMAGE_VERSION_INFO versionInfo;
PPH_STRING guidString;
PhAppendStringBuilder2(&stringBuilder, L"COM target:\n");
if (knownCommandLine.ComSurrogate.Name)
{
PhAppendStringBuilder2(&stringBuilder, L" ");
PhAppendStringBuilder(&stringBuilder, knownCommandLine.ComSurrogate.Name);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (guidString = PhFormatGuid(&knownCommandLine.ComSurrogate.Guid))
{
PhAppendStringBuilder2(&stringBuilder, L" ");
PhAppendStringBuilder(&stringBuilder, guidString);
PhDereferenceObject(guidString);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (knownCommandLine.ComSurrogate.FileName && PhInitializeImageVersionInfo(
&versionInfo,
knownCommandLine.ComSurrogate.FileName->Buffer
))
{
tempString = PhFormatImageVersionInfo(
knownCommandLine.ComSurrogate.FileName,
&versionInfo,
L" ",
0
);
if (!PhIsNullOrEmptyString(tempString))
{
PhAppendStringBuilder2(&stringBuilder, L"COM target file:\n");
PhAppendStringBuilder(&stringBuilder, tempString);
PhAppendCharStringBuilder(&stringBuilder, '\n');
}
if (tempString)
PhDereferenceObject(tempString);
PhDeleteImageVersionInfo(&versionInfo);
}
}
break;
}
}
}
// Services
if (Process->ServiceList && Process->ServiceList->Count != 0)
{
ULONG enumerationKey = 0;
PPH_SERVICE_ITEM serviceItem;
PPH_LIST serviceList;
ULONG i;
// Copy the service list into our own list so we can sort it.
serviceList = PhCreateList(Process->ServiceList->Count);
PhAcquireQueuedLockShared(&Process->ServiceListLock);
while (PhEnumPointerList(
Process->ServiceList,
&enumerationKey,
&serviceItem
))
{
PhReferenceObject(serviceItem);
PhAddItemList(serviceList, serviceItem);
}
PhReleaseQueuedLockShared(&Process->ServiceListLock);
qsort(serviceList->Items, serviceList->Count, sizeof(PPH_SERVICE_ITEM), ServiceForTooltipCompare);
PhAppendStringBuilder2(&stringBuilder, L"Services:\n");
// Add the services.
for (i = 0; i < serviceList->Count; i++)
{
serviceItem = serviceList->Items[i];
PhAppendStringBuilder2(&stringBuilder, L" ");
PhAppendStringBuilder(&stringBuilder, serviceItem->Name);
PhAppendStringBuilder2(&stringBuilder, L" (");
PhAppendStringBuilder(&stringBuilder, serviceItem->DisplayName);
PhAppendStringBuilder2(&stringBuilder, L")\n");
}
PhDereferenceObjects(serviceList->Items, serviceList->Count);
PhDereferenceObject(serviceList);
}
// Tasks
if (PhEqualString2(Process->ProcessName, L"taskeng.exe", TRUE) ||
PhEqualString2(Process->ProcessName, L"taskhost.exe", TRUE))
{
PH_STRING_BUILDER tasks;
PhInitializeStringBuilder(&tasks, 40);
PhpFillRunningTasks(Process, &tasks);
if (tasks.String->Length != 0)
{
PhAppendStringBuilder2(&stringBuilder, L"Tasks:\n");
PhAppendStringBuilder(&stringBuilder, tasks.String);
}
PhDeleteStringBuilder(&tasks);
}
// Plugin
if (PhPluginsEnabled)
{
PH_PLUGIN_GET_TOOLTIP_TEXT getTooltipText;
getTooltipText.Parameter = Process;
getTooltipText.StringBuilder = &stringBuilder;
PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackGetProcessTooltipText), &getTooltipText);
}
// Notes
{
PH_STRING_BUILDER notes;
PhInitializeStringBuilder(¬es, 40);
if (Process->FileName)
{
if (Process->VerifyResult == VrTrusted)
{
if (!PhIsNullOrEmptyString(Process->VerifySignerName))
PhAppendFormatStringBuilder(¬es, L" Signer: %s\n", Process->VerifySignerName->Buffer);
else
PhAppendStringBuilder2(¬es, L" Signed.\n");
}
else if (Process->VerifyResult == VrUnknown)
{
// Nothing
}
else if (Process->VerifyResult != VrNoSignature)
{
PhAppendStringBuilder2(¬es, L" Signature invalid.\n");
}
}
if (Process->IsPacked)
{
PhAppendFormatStringBuilder(
¬es,
L" Image is probably packed (%u imports over %u modules).\n",
Process->ImportFunctions,
Process->ImportModules
);
}
if (Process->ConsoleHostProcessId)
{
CLIENT_ID clientId;
PPH_STRING clientIdString;
clientId.UniqueProcess = Process->ConsoleHostProcessId;
clientId.UniqueThread = NULL;
clientIdString = PhGetClientIdName(&clientId);
PhAppendFormatStringBuilder(¬es, L" Console host: %s\n", clientIdString->Buffer);
PhDereferenceObject(clientIdString);
}
if (Process->IsDotNet)
PhAppendStringBuilder2(¬es, L" Process is managed (.NET).\n");
if (Process->IsElevated)
PhAppendStringBuilder2(¬es, L" Process is elevated.\n");
if (Process->IsInJob)
PhAppendStringBuilder2(¬es, L" Process is in a job.\n");
if (Process->IsPosix)
PhAppendStringBuilder2(¬es, L" Process is POSIX.\n");
if (Process->IsWow64)
PhAppendStringBuilder2(¬es, L" Process is 32-bit (WOW64).\n");
if (notes.String->Length != 0)
{
PhAppendStringBuilder2(&stringBuilder, L"Notes:\n");
PhAppendStringBuilder(&stringBuilder, notes.String);
}
PhDeleteStringBuilder(¬es);
}
// Remove the trailing newline.
if (stringBuilder.String->Length != 0)
PhRemoveStringBuilder(&stringBuilder, stringBuilder.String->Length / 2 - 1, 1);
return PhFinalStringBuilderString(&stringBuilder);
}
PPH_STRING PhGetSymbolFromAddress(
_In_ PPH_SYMBOL_PROVIDER SymbolProvider,
_In_ ULONG64 Address,
_Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel,
_Out_opt_ PPH_STRING *FileName,
_Out_opt_ PPH_STRING *SymbolName,
_Out_opt_ PULONG64 Displacement
)
{
PSYMBOL_INFOW symbolInfo;
ULONG nameLength;
PPH_STRING symbol = NULL;
PH_SYMBOL_RESOLVE_LEVEL resolveLevel;
ULONG64 displacement;
PPH_STRING modFileName = NULL;
PPH_STRING modBaseName = NULL;
ULONG64 modBase;
PPH_STRING symbolName = NULL;
if (!SymFromAddrW_I && !SymFromAddr_I)
return NULL;
if (Address == 0)
{
if (ResolveLevel) *ResolveLevel = PhsrlInvalid;
if (FileName) *FileName = NULL;
if (SymbolName) *SymbolName = NULL;
if (Displacement) *Displacement = 0;
return NULL;
}
#ifdef PH_SYMBOL_PROVIDER_DELAY_INIT
PhpRegisterSymbolProvider(SymbolProvider);
#endif
symbolInfo = PhAllocate(FIELD_OFFSET(SYMBOL_INFOW, Name) + PH_MAX_SYMBOL_NAME_LEN * 2);
memset(symbolInfo, 0, sizeof(SYMBOL_INFOW));
symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW);
symbolInfo->MaxNameLen = PH_MAX_SYMBOL_NAME_LEN;
// Get the symbol name.
PH_LOCK_SYMBOLS();
// Note that we don't care whether this call
// succeeds or not, based on the assumption that
// it will not write to the symbolInfo structure
// if it fails. We've already zeroed the structure,
// so we can deal with it.
if (SymFromAddrW_I)
{
SymFromAddrW_I(
SymbolProvider->ProcessHandle,
Address,
&displacement,
symbolInfo
);
nameLength = symbolInfo->NameLen;
if (nameLength + 1 > PH_MAX_SYMBOL_NAME_LEN)
{
PhFree(symbolInfo);
symbolInfo = PhAllocate(FIELD_OFFSET(SYMBOL_INFOW, Name) + nameLength * 2 + 2);
memset(symbolInfo, 0, sizeof(SYMBOL_INFOW));
symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW);
symbolInfo->MaxNameLen = nameLength + 1;
SymFromAddrW_I(
SymbolProvider->ProcessHandle,
Address,
&displacement,
symbolInfo
);
}
}
else if (SymFromAddr_I)
{
PSYMBOL_INFO symbolInfoA;
symbolInfoA = PhAllocate(FIELD_OFFSET(SYMBOL_INFO, Name) + PH_MAX_SYMBOL_NAME_LEN);
memset(symbolInfoA, 0, sizeof(SYMBOL_INFO));
symbolInfoA->SizeOfStruct = sizeof(SYMBOL_INFO);
symbolInfoA->MaxNameLen = PH_MAX_SYMBOL_NAME_LEN;
SymFromAddr_I(
SymbolProvider->ProcessHandle,
Address,
&displacement,
symbolInfoA
);
nameLength = symbolInfoA->NameLen;
if (nameLength + 1 > PH_MAX_SYMBOL_NAME_LEN)
{
PhFree(symbolInfoA);
symbolInfoA = PhAllocate(FIELD_OFFSET(SYMBOL_INFO, Name) + nameLength + 1);
memset(symbolInfoA, 0, sizeof(SYMBOL_INFO));
symbolInfoA->SizeOfStruct = sizeof(SYMBOL_INFO);
symbolInfoA->MaxNameLen = nameLength + 1;
SymFromAddr_I(
SymbolProvider->ProcessHandle,
Address,
&displacement,
symbolInfoA
);
// Also reallocate the Unicode-based buffer.
PhFree(symbolInfo);
symbolInfo = PhAllocate(FIELD_OFFSET(SYMBOL_INFOW, Name) + nameLength * 2 + 2);
memset(symbolInfo, 0, sizeof(SYMBOL_INFOW));
symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW);
symbolInfo->MaxNameLen = nameLength + 1;
}
PhpSymbolInfoAnsiToUnicode(symbolInfo, symbolInfoA);
PhFree(symbolInfoA);
}
PH_UNLOCK_SYMBOLS();
// Find the module name.
if (symbolInfo->ModBase == 0)
{
modBase = PhGetModuleFromAddress(
SymbolProvider,
Address,
&modFileName
);
}
else
{
PH_SYMBOL_MODULE lookupSymbolModule;
PPH_AVL_LINKS existingLinks;
PPH_SYMBOL_MODULE symbolModule;
lookupSymbolModule.BaseAddress = symbolInfo->ModBase;
PhAcquireQueuedLockShared(&SymbolProvider->ModulesListLock);
existingLinks = PhFindElementAvlTree(&SymbolProvider->ModulesSet, &lookupSymbolModule.Links);
if (existingLinks)
{
symbolModule = CONTAINING_RECORD(existingLinks, PH_SYMBOL_MODULE, Links);
modFileName = symbolModule->FileName;
PhReferenceObject(modFileName);
}
PhReleaseQueuedLockShared(&SymbolProvider->ModulesListLock);
}
// If we don't have a module name, return an address.
if (!modFileName)
{
resolveLevel = PhsrlAddress;
symbol = PhCreateStringEx(NULL, PH_PTR_STR_LEN * 2);
PhPrintPointer(symbol->Buffer, (PVOID)Address);
PhTrimToNullTerminatorString(symbol);
goto CleanupExit;
}
modBaseName = PhGetBaseName(modFileName);
// If we have a module name but not a symbol name,
// return the module plus an offset: module+offset.
if (symbolInfo->NameLen == 0)
{
PH_FORMAT format[3];
resolveLevel = PhsrlModule;
PhInitFormatSR(&format[0], modBaseName->sr);
PhInitFormatS(&format[1], L"+0x");
PhInitFormatIX(&format[2], (ULONG_PTR)(Address - modBase));
symbol = PhFormat(format, 3, modBaseName->Length + 6 + 32);
goto CleanupExit;
}
// If we have everything, return the full symbol
// name: module!symbol+offset.
symbolName = PhCreateStringEx(
symbolInfo->Name,
symbolInfo->NameLen * 2
);
resolveLevel = PhsrlFunction;
if (displacement == 0)
{
PH_FORMAT format[3];
PhInitFormatSR(&format[0], modBaseName->sr);
PhInitFormatC(&format[1], '!');
PhInitFormatSR(&format[2], symbolName->sr);
symbol = PhFormat(format, 3, modBaseName->Length + 2 + symbolName->Length);
}
else
{
PH_FORMAT format[5];
PhInitFormatSR(&format[0], modBaseName->sr);
PhInitFormatC(&format[1], '!');
PhInitFormatSR(&format[2], symbolName->sr);
PhInitFormatS(&format[3], L"+0x");
PhInitFormatIX(&format[4], (ULONG_PTR)displacement);
symbol = PhFormat(format, 5, modBaseName->Length + 2 + symbolName->Length + 6 + 32);
}
CleanupExit:
if (ResolveLevel)
*ResolveLevel = resolveLevel;
if (FileName)
{
*FileName = modFileName;
if (modFileName)
PhReferenceObject(modFileName);
}
if (SymbolName)
{
*SymbolName = symbolName;
if (symbolName)
PhReferenceObject(symbolName);
}
if (Displacement)
*Displacement = displacement;
if (modFileName)
PhDereferenceObject(modFileName);
if (modBaseName)
PhDereferenceObject(modBaseName);
if (symbolName)
PhDereferenceObject(symbolName);
PhFree(symbolInfo);
return symbol;
}
BOOLEAN ProcessTreeFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
)
{
PPH_PROCESS_NODE processNode = (PPH_PROCESS_NODE)Node;
if (PhIsNullOrEmptyString(SearchboxText))
return TRUE;
if (!PhIsNullOrEmptyString(processNode->ProcessItem->ProcessName))
{
if (WordMatchStringRef(&processNode->ProcessItem->ProcessName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->FileName))
{
if (WordMatchStringRef(&processNode->ProcessItem->FileName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->CommandLine))
{
if (WordMatchStringRef(&processNode->ProcessItem->CommandLine->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.CompanyName))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.CompanyName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.FileDescription))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.FileDescription->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.FileVersion))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.FileVersion->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.ProductName))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.ProductName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->UserName))
{
if (WordMatchStringRef(&processNode->ProcessItem->UserName->sr))
return TRUE;
}
if (processNode->ProcessItem->IntegrityString)
{
if (WordMatchStringZ(processNode->ProcessItem->IntegrityString))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->JobName))
{
if (WordMatchStringRef(&processNode->ProcessItem->JobName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VerifySignerName))
{
if (WordMatchStringRef(&processNode->ProcessItem->VerifySignerName->sr))
return TRUE;
}
if (processNode->ProcessItem->ProcessIdString[0])
{
if (WordMatchStringZ(processNode->ProcessItem->ProcessIdString))
return TRUE;
}
if (processNode->ProcessItem->ParentProcessIdString[0])
{
if (WordMatchStringZ(processNode->ProcessItem->ParentProcessIdString))
return TRUE;
}
if (processNode->ProcessItem->SessionIdString[0])
{
if (WordMatchStringZ(processNode->ProcessItem->SessionIdString))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->PackageFullName))
{
if (WordMatchStringRef(&processNode->ProcessItem->PackageFullName->sr))
return TRUE;
}
if (WordMatchStringZ(PhGetProcessPriorityClassString(processNode->ProcessItem->PriorityClass)))
{
return TRUE;
}
if (processNode->ProcessItem->VerifyResult != VrUnknown)
{
switch (processNode->ProcessItem->VerifyResult)
{
case VrNoSignature:
if (WordMatchStringZ(L"NoSignature"))
return TRUE;
break;
case VrTrusted:
if (WordMatchStringZ(L"Trusted"))
return TRUE;
break;
case VrExpired:
if (WordMatchStringZ(L"Expired"))
return TRUE;
break;
case VrRevoked:
if (WordMatchStringZ(L"Revoked"))
return TRUE;
break;
case VrDistrust:
if (WordMatchStringZ(L"Distrust"))
return TRUE;
break;
case VrSecuritySettings:
if (WordMatchStringZ(L"SecuritySettings"))
return TRUE;
break;
case VrBadSignature:
if (WordMatchStringZ(L"BadSignature"))
return TRUE;
break;
default:
if (WordMatchStringZ(L"Unknown"))
return TRUE;
break;
}
}
if (processNode->ProcessItem->ElevationType != TokenElevationTypeDefault)
{
switch (processNode->ProcessItem->ElevationType)
{
case TokenElevationTypeLimited:
if (WordMatchStringZ(L"Limited"))
return TRUE;
break;
case TokenElevationTypeFull:
if (WordMatchStringZ(L"Full"))
return TRUE;
break;
default:
if (WordMatchStringZ(L"Unknown"))
return TRUE;
break;
}
}
if (WordMatchStringZ(L"IsBeingDebugged") && processNode->ProcessItem->IsBeingDebugged)
{
return TRUE;
}
if (WordMatchStringZ(L"IsDotNet") && processNode->ProcessItem->IsDotNet)
{
return TRUE;
}
if (WordMatchStringZ(L"IsElevated") && processNode->ProcessItem->IsElevated)
{
return TRUE;
}
if (WordMatchStringZ(L"IsInJob") && processNode->ProcessItem->IsInJob)
{
return TRUE;
}
if (WordMatchStringZ(L"IsInSignificantJob") && processNode->ProcessItem->IsInSignificantJob)
{
return TRUE;
}
if (WordMatchStringZ(L"IsPacked") && processNode->ProcessItem->IsPacked)
{
return TRUE;
}
if (WordMatchStringZ(L"IsSuspended") && processNode->ProcessItem->IsSuspended)
{
return TRUE;
}
if (WordMatchStringZ(L"IsWow64") && processNode->ProcessItem->IsWow64)
{
return TRUE;
}
if (WordMatchStringZ(L"IsImmersive") && processNode->ProcessItem->IsImmersive)
{
return TRUE;
}
if (WordMatchStringZ(L"IsProtectedProcess") && processNode->ProcessItem->IsProtectedProcess)
{
return TRUE;
}
if (WordMatchStringZ(L"IsSecureProcess") && processNode->ProcessItem->IsSecureProcess)
{
return TRUE;
}
if (WordMatchStringZ(L"IsPicoProcess") && processNode->ProcessItem->IsSubsystemProcess)
{
return TRUE;
}
if (processNode->ProcessItem->ServiceList && processNode->ProcessItem->ServiceList->Count)
{
ULONG enumerationKey = 0;
PPH_SERVICE_ITEM serviceItem;
PPH_LIST serviceList;
ULONG i;
BOOLEAN matched = FALSE;
// Copy the service list so we can search it.
serviceList = PhCreateList(processNode->ProcessItem->ServiceList->Count);
PhAcquireQueuedLockShared(&processNode->ProcessItem->ServiceListLock);
while (PhEnumPointerList(
processNode->ProcessItem->ServiceList,
&enumerationKey,
&serviceItem
))
{
PhReferenceObject(serviceItem);
PhAddItemList(serviceList, serviceItem);
}
PhReleaseQueuedLockShared(&processNode->ProcessItem->ServiceListLock);
for (i = 0; i < serviceList->Count; i++)
{
PPH_STRING serviceFileName = NULL;
PPH_STRING serviceBinaryPath = NULL;
serviceItem = serviceList->Items[i];
if (!PhIsNullOrEmptyString(serviceItem->Name))
{
if (WordMatchStringRef(&serviceItem->Name->sr))
{
matched = TRUE;
break;
}
}
if (!PhIsNullOrEmptyString(serviceItem->DisplayName))
{
if (WordMatchStringRef(&serviceItem->DisplayName->sr))
{
matched = TRUE;
break;
}
}
if (serviceItem->ProcessId)
{
if (WordMatchStringZ(serviceItem->ProcessIdString))
{
matched = TRUE;
break;
}
}
if (NT_SUCCESS(QueryServiceFileName(
&serviceItem->Name->sr,
&serviceFileName,
&serviceBinaryPath
)))
{
if (serviceFileName)
{
if (WordMatchStringRef(&serviceFileName->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceFileName);
}
if (serviceBinaryPath)
{
if (WordMatchStringRef(&serviceBinaryPath->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceBinaryPath);
}
if (matched)
break;
}
}
PhDereferenceObjects(serviceList->Items, serviceList->Count);
PhDereferenceObject(serviceList);
if (matched)
return TRUE;
}
return FALSE;
}
VOID DiskDrivesUpdate(
VOID
)
{
static ULONG runCount = 0; // MUST keep in sync with runCount in process provider
PhAcquireQueuedLockShared(&DiskDrivesListLock);
for (ULONG i = 0; i < DiskDrivesList->Count; i++)
{
HANDLE deviceHandle;
PDV_DISK_ENTRY entry;
entry = PhReferenceObjectSafe(DiskDrivesList->Items[i]);
if (!entry)
continue;
if (NT_SUCCESS(DiskDriveCreateHandle(&deviceHandle, entry->Id.DevicePath)))
{
DISK_PERFORMANCE diskPerformance;
if (NT_SUCCESS(DiskDriveQueryStatistics(deviceHandle, &diskPerformance)))
{
ULONG64 readTime;
ULONG64 writeTime;
ULONG64 idleTime;
ULONG readCount;
ULONG writeCount;
ULONG64 queryTime;
PhUpdateDelta(&entry->BytesReadDelta, diskPerformance.BytesRead.QuadPart);
PhUpdateDelta(&entry->BytesWrittenDelta, diskPerformance.BytesWritten.QuadPart);
PhUpdateDelta(&entry->ReadTimeDelta, diskPerformance.ReadTime.QuadPart);
PhUpdateDelta(&entry->WriteTimeDelta, diskPerformance.WriteTime.QuadPart);
PhUpdateDelta(&entry->IdleTimeDelta, diskPerformance.IdleTime.QuadPart);
PhUpdateDelta(&entry->ReadCountDelta, diskPerformance.ReadCount);
PhUpdateDelta(&entry->WriteCountDelta, diskPerformance.WriteCount);
PhUpdateDelta(&entry->QueryTimeDelta, diskPerformance.QueryTime.QuadPart);
readTime = entry->ReadTimeDelta.Delta;
writeTime = entry->WriteTimeDelta.Delta;
idleTime = entry->IdleTimeDelta.Delta;
readCount = entry->ReadCountDelta.Delta;
writeCount = entry->WriteCountDelta.Delta;
queryTime = entry->QueryTimeDelta.Delta;
if (readCount + writeCount != 0)
entry->ResponseTime = ((FLOAT)readTime + (FLOAT)writeTime) / (readCount + writeCount);
else
entry->ResponseTime = 0;
if (queryTime != 0)
entry->ActiveTime = (FLOAT)(queryTime - idleTime) / queryTime * 100;
else
entry->ActiveTime = 0.0f;
if (entry->ActiveTime > 100.f)
entry->ActiveTime = 0.f;
if (entry->ActiveTime < 0.f)
entry->ActiveTime = 0.f;
entry->QueueDepth = diskPerformance.QueueDepth;
entry->SplitCount = diskPerformance.SplitCount;
entry->DiskIndex = diskPerformance.StorageDeviceNumber;
entry->DevicePresent = TRUE;
}
else
{
// Disk has been disconnected or dismounted.
PhInitializeDelta(&entry->BytesReadDelta);
PhInitializeDelta(&entry->BytesWrittenDelta);
PhInitializeDelta(&entry->ReadTimeDelta);
PhInitializeDelta(&entry->WriteTimeDelta);
PhInitializeDelta(&entry->IdleTimeDelta);
PhInitializeDelta(&entry->ReadCountDelta);
PhInitializeDelta(&entry->WriteCountDelta);
PhInitializeDelta(&entry->QueryTimeDelta);
entry->ResponseTime = 0;
entry->ActiveTime = 0.0f;
entry->QueueDepth = 0;
entry->SplitCount = 0;
entry->DiskIndex = ULONG_MAX;
entry->DevicePresent = FALSE;
PhClearReference(&entry->DiskIndexName);
}
if (runCount > 1)
{
// Delay the first query for the disk name, index and type.
// 1) This information is not needed until the user opens the sysinfo window.
// 2) Try not to query this information while opening the sysinfo window (e.g. delay).
// 3) Try not to query this information during startup (e.g. delay).
//
// Note: If the user opens the Sysinfo window before we query the disk info,
// we have a second check in diskgraph.c that queries the information on demand.
DiskDriveUpdateDeviceInfo(deviceHandle, entry);
}
NtClose(deviceHandle);
}
else
{
// Disk has been disconnected or dismounted.
PhInitializeDelta(&entry->BytesReadDelta);
PhInitializeDelta(&entry->BytesWrittenDelta);
PhInitializeDelta(&entry->ReadTimeDelta);
PhInitializeDelta(&entry->WriteTimeDelta);
PhInitializeDelta(&entry->IdleTimeDelta);
PhInitializeDelta(&entry->ReadCountDelta);
PhInitializeDelta(&entry->WriteCountDelta);
PhInitializeDelta(&entry->QueryTimeDelta);
entry->ResponseTime = 0;
entry->ActiveTime = 0.0f;
entry->QueueDepth = 0;
entry->SplitCount = 0;
entry->DiskIndex = ULONG_MAX;
entry->DevicePresent = FALSE;
PhClearReference(&entry->DiskIndexName);
}
if (!entry->HaveFirstSample)
{
// The first sample must be zero.
entry->BytesReadDelta.Delta = 0;
entry->BytesWrittenDelta.Delta = 0;
entry->HaveFirstSample = TRUE;
}
if (runCount != 0)
{
PhAddItemCircularBuffer_ULONG64(&entry->ReadBuffer, entry->BytesReadDelta.Delta);
PhAddItemCircularBuffer_ULONG64(&entry->WriteBuffer, entry->BytesWrittenDelta.Delta);
}
PhDereferenceObjectDeferDelete(entry);
}
PhReleaseQueuedLockShared(&DiskDrivesListLock);
runCount++;
}
VOID FindDiskDrives(
_In_ PDV_DISK_OPTIONS_CONTEXT Context
)
{
PPH_LIST deviceList;
HDEVINFO deviceInfoHandle;
SP_DEVICE_INTERFACE_DATA deviceInterfaceData = { sizeof(SP_DEVICE_INTERFACE_DATA) };
SP_DEVINFO_DATA deviceInfoData = { sizeof(SP_DEVINFO_DATA) };
PSP_DEVICE_INTERFACE_DETAIL_DATA deviceInterfaceDetail;
ULONG deviceInfoLength = 0;
if ((deviceInfoHandle = SetupDiGetClassDevs(
&GUID_DEVINTERFACE_DISK,
NULL,
NULL,
DIGCF_DEVICEINTERFACE
)) == INVALID_HANDLE_VALUE)
{
return;
}
deviceList = PH_AUTO(PhCreateList(1));
for (ULONG i = 0; SetupDiEnumDeviceInterfaces(deviceInfoHandle, NULL, &GUID_DEVINTERFACE_DISK, i, &deviceInterfaceData); i++)
{
if (SetupDiGetDeviceInterfaceDetail(
deviceInfoHandle,
&deviceInterfaceData,
0,
0,
&deviceInfoLength,
&deviceInfoData
) || GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
continue;
}
deviceInterfaceDetail = PhAllocate(deviceInfoLength);
deviceInterfaceDetail->cbSize = sizeof(SP_DEVICE_INTERFACE_DETAIL_DATA);
if (SetupDiGetDeviceInterfaceDetail(
deviceInfoHandle,
&deviceInterfaceData,
deviceInterfaceDetail,
deviceInfoLength,
&deviceInfoLength,
&deviceInfoData
))
{
HANDLE deviceHandle;
PDISK_ENUM_ENTRY diskEntry;
WCHAR diskFriendlyName[MAX_PATH] = L"";
// This crashes on XP with error 0xC06D007F
//SetupDiGetDeviceProperty(
// deviceInfoHandle,
// &deviceInfoData,
// &DEVPKEY_Device_FriendlyName,
// &devicePropertyType,
// (PBYTE)diskFriendlyName,
// ARRAYSIZE(diskFriendlyName),
// NULL,
// 0
// );
if (!SetupDiGetDeviceRegistryProperty(
deviceInfoHandle,
&deviceInfoData,
SPDRP_FRIENDLYNAME,
NULL,
(PBYTE)diskFriendlyName,
ARRAYSIZE(diskFriendlyName),
NULL
))
{
continue;
}
diskEntry = PhAllocate(sizeof(DISK_ENUM_ENTRY));
memset(diskEntry, 0, sizeof(DISK_ENUM_ENTRY));
diskEntry->DeviceIndex = ULONG_MAX; // Note: Do not initialize to zero.
diskEntry->DeviceName = PhCreateString(diskFriendlyName);
diskEntry->DevicePath = PhCreateString(deviceInterfaceDetail->DevicePath);
if (NT_SUCCESS(DiskDriveCreateHandle(
&deviceHandle,
diskEntry->DevicePath
)))
{
ULONG diskIndex = ULONG_MAX; // Note: Do not initialize to zero
if (NT_SUCCESS(DiskDriveQueryDeviceTypeAndNumber(
deviceHandle,
&diskIndex,
NULL
)))
{
PPH_STRING diskMountPoints = PH_AUTO_T(PH_STRING, DiskDriveQueryDosMountPoints(diskIndex));
diskEntry->DeviceIndex = diskIndex;
diskEntry->DevicePresent = TRUE;
if (!PhIsNullOrEmptyString(diskMountPoints))
{
diskEntry->DeviceMountPoints = PhFormatString(
L"Disk %lu (%s) [%s]",
diskIndex,
diskMountPoints->Buffer,
diskFriendlyName
);
}
else
{
diskEntry->DeviceMountPoints = PhFormatString(
L"Disk %lu [%s]",
diskIndex,
diskFriendlyName
);
}
}
NtClose(deviceHandle);
}
PhAddItemList(deviceList, diskEntry);
}
PhFree(deviceInterfaceDetail);
}
SetupDiDestroyDeviceInfoList(deviceInfoHandle);
// Sort the entries
qsort(deviceList->Items, deviceList->Count, sizeof(PVOID), DiskEntryCompareFunction);
Context->EnumeratingDisks = TRUE;
PhAcquireQueuedLockShared(&DiskDrivesListLock);
for (ULONG i = 0; i < deviceList->Count; i++)
{
PDISK_ENUM_ENTRY entry = deviceList->Items[i];
AddDiskDriveToListView(
Context,
entry->DevicePresent,
entry->DevicePath,
entry->DeviceMountPoints ? entry->DeviceMountPoints : entry->DeviceName
);
if (entry->DeviceMountPoints)
PhDereferenceObject(entry->DeviceMountPoints);
if (entry->DeviceName)
PhDereferenceObject(entry->DeviceName);
// Note: DevicePath is disposed by WM_DESTROY.
PhFree(entry);
}
PhReleaseQueuedLockShared(&DiskDrivesListLock);
Context->EnumeratingDisks = FALSE;
// HACK: Show all unknown devices.
Context->EnumeratingDisks = TRUE;
PhAcquireQueuedLockShared(&DiskDrivesListLock);
for (ULONG i = 0; i < DiskDrivesList->Count; i++)
{
ULONG index = -1;
BOOLEAN found = FALSE;
PDV_DISK_ENTRY entry = PhReferenceObjectSafe(DiskDrivesList->Items[i]);
if (!entry)
continue;
while ((index = PhFindListViewItemByFlags(
Context->ListViewHandle,
index,
LVNI_ALL
)) != -1)
{
PDV_DISK_ID param;
if (PhGetListViewItemParam(Context->ListViewHandle, index, ¶m))
{
if (EquivalentDiskId(param, &entry->Id))
{
found = TRUE;
}
}
}
if (!found)
{
PPH_STRING description;
if (description = PhCreateString(L"Unknown disk"))
{
AddDiskDriveToListView(
Context,
FALSE,
entry->Id.DevicePath,
description
);
PhDereferenceObject(description);
}
}
PhDereferenceObjectDeferDelete(entry);
}
PhReleaseQueuedLockShared(&DiskDrivesListLock);
Context->EnumeratingDisks = FALSE;
}