NTSTATUS PhSipLoadMmAddresses( _In_ PVOID Parameter ) { PRTL_PROCESS_MODULES kernelModules; PPH_SYMBOL_PROVIDER symbolProvider; PPH_STRING kernelFileName; PPH_STRING newFileName; PH_SYMBOL_INFORMATION symbolInfo; if (NT_SUCCESS(PhEnumKernelModules(&kernelModules))) { if (kernelModules->NumberOfModules >= 1) { symbolProvider = PhCreateSymbolProvider(NULL); PhLoadSymbolProviderOptions(symbolProvider); kernelFileName = PH_AUTO(PhConvertMultiByteToUtf16(kernelModules->Modules[0].FullPathName)); newFileName = PH_AUTO(PhGetFileName(kernelFileName)); PhLoadModuleSymbolProvider( symbolProvider, newFileName->Buffer, (ULONG64)kernelModules->Modules[0].ImageBase, kernelModules->Modules[0].ImageSize ); if (PhGetSymbolFromName( symbolProvider, L"MmSizeOfPagedPoolInBytes", &symbolInfo )) { MmSizeOfPagedPoolInBytes = (PSIZE_T)symbolInfo.Address; } if (PhGetSymbolFromName( symbolProvider, L"MmMaximumNonPagedPoolInBytes", &symbolInfo )) { MmMaximumNonPagedPoolInBytes = (PSIZE_T)symbolInfo.Address; } PhDereferenceObject(symbolProvider); } PhFree(kernelModules); } return STATUS_SUCCESS; }
PPH_THREAD_PROVIDER PhCreateThreadProvider( __in HANDLE ProcessId ) { PPH_THREAD_PROVIDER threadProvider; if (!NT_SUCCESS(PhCreateObject( &threadProvider, sizeof(PH_THREAD_PROVIDER), 0, PhThreadProviderType ))) return NULL; threadProvider->ThreadHashtable = PhCreateHashtable( sizeof(PPH_THREAD_ITEM), PhpThreadHashtableCompareFunction, PhpThreadHashtableHashFunction, 20 ); PhInitializeFastLock(&threadProvider->ThreadHashtableLock); PhInitializeCallback(&threadProvider->ThreadAddedEvent); PhInitializeCallback(&threadProvider->ThreadModifiedEvent); PhInitializeCallback(&threadProvider->ThreadRemovedEvent); PhInitializeCallback(&threadProvider->UpdatedEvent); PhInitializeCallback(&threadProvider->LoadingStateChangedEvent); threadProvider->ProcessId = ProcessId; threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId); if (threadProvider->SymbolProvider) { if (threadProvider->SymbolProvider->IsRealHandle) threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle; } PhInitializeEvent(&threadProvider->SymbolsLoadedEvent); threadProvider->SymbolsLoading = 0; RtlInitializeSListHead(&threadProvider->QueryListHead); threadProvider->RunId = 1; // Begin loading symbols for the process' modules. PhReferenceObject(threadProvider); PhpQueueThreadWorkQueueItem(PhpThreadProviderLoadSymbols, threadProvider); return threadProvider; }
VOID PhShowNetworkStackDialog( _In_ HWND ParentWindowHandle, _In_ PPH_NETWORK_ITEM NetworkItem ) { NETWORK_STACK_CONTEXT networkStackContext; networkStackContext.NetworkItem = NetworkItem; networkStackContext.SymbolProvider = PhCreateSymbolProvider(NetworkItem->ProcessId); if (networkStackContext.SymbolProvider->IsRealHandle) { // Load symbols for the process. networkStackContext.LoadingProcessId = NetworkItem->ProcessId; PhEnumGenericModules( NetworkItem->ProcessId, networkStackContext.SymbolProvider->ProcessHandle, 0, LoadSymbolsEnumGenericModulesCallback, &networkStackContext ); // Load symbols for kernel-mode. networkStackContext.LoadingProcessId = SYSTEM_PROCESS_ID; PhEnumGenericModules( SYSTEM_PROCESS_ID, NULL, 0, LoadSymbolsEnumGenericModulesCallback, &networkStackContext ); } else { PhDereferenceObject(networkStackContext.SymbolProvider); PhShowError(ParentWindowHandle, L"Unable to open the process."); return; } DialogBoxParam( PhInstanceHandle, MAKEINTRESOURCE(IDD_NETSTACK), ParentWindowHandle, PhpNetworkStackDlgProc, (LPARAM)&networkStackContext ); PhDereferenceObject(networkStackContext.SymbolProvider); }
PPH_THREAD_PROVIDER PhCreateThreadProvider( _In_ HANDLE ProcessId ) { PPH_THREAD_PROVIDER threadProvider; threadProvider = PhCreateObject( PhEmGetObjectSize(EmThreadProviderType, sizeof(PH_THREAD_PROVIDER)), PhThreadProviderType ); memset(threadProvider, 0, sizeof(PH_THREAD_PROVIDER)); threadProvider->ThreadHashtable = PhCreateHashtable( sizeof(PPH_THREAD_ITEM), PhpThreadHashtableEqualFunction, PhpThreadHashtableHashFunction, 20 ); PhInitializeFastLock(&threadProvider->ThreadHashtableLock); PhInitializeCallback(&threadProvider->ThreadAddedEvent); PhInitializeCallback(&threadProvider->ThreadModifiedEvent); PhInitializeCallback(&threadProvider->ThreadRemovedEvent); PhInitializeCallback(&threadProvider->UpdatedEvent); PhInitializeCallback(&threadProvider->LoadingStateChangedEvent); threadProvider->ProcessId = ProcessId; threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId); if (threadProvider->SymbolProvider) { if (threadProvider->SymbolProvider->IsRealHandle) threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle; } RtlInitializeSListHead(&threadProvider->QueryListHead); PhInitializeQueuedLock(&threadProvider->LoadSymbolsLock); threadProvider->RunId = 1; threadProvider->SymbolsLoadedRunId = 0; // Force symbols to be loaded the first time we try to resolve an address PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectCreate); return threadProvider; }
INT_PTR CALLBACK EtpWsWatchDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PWS_WATCH_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PWS_WATCH_CONTEXT)lParam; SetProp(hwndDlg, L"Context", (HANDLE)context); } else { context = (PWS_WATCH_CONTEXT)GetProp(hwndDlg, L"Context"); if (uMsg == WM_DESTROY) RemoveProp(hwndDlg, L"Context"); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HWND lvHandle; PhCenterWindow(hwndDlg, GetParent(hwndDlg)); context->WindowHandle = hwndDlg; context->ListViewHandle = lvHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(lvHandle, FALSE, TRUE); PhSetControlTheme(lvHandle, L"explorer"); PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 340, L"Instruction"); PhAddListViewColumn(lvHandle, 1, 1, 1, LVCFMT_LEFT, 80, L"Count"); PhSetExtendedListView(lvHandle); ExtendedListView_SetSort(lvHandle, 1, DescendingSortOrder); context->Hashtable = PhCreateSimpleHashtable(64); context->BufferSize = 0x2000; context->Buffer = PhAllocate(context->BufferSize); PhInitializeQueuedLock(&context->ResultListLock); context->SymbolProvider = PhCreateSymbolProvider(context->ProcessItem->ProcessId); PhLoadSymbolProviderOptions(context->SymbolProvider); if (!context->SymbolProvider || !context->SymbolProvider->IsRealHandle) { PhShowError(hwndDlg, L"Unable to open the process."); EndDialog(hwndDlg, IDCANCEL); break; } context->ProcessHandle = context->SymbolProvider->ProcessHandle; // Load symbols for both process and kernel modules. context->LoadingSymbolsForProcessId = context->ProcessItem->ProcessId; PhEnumGenericModules( NULL, context->ProcessHandle, 0, EnumGenericModulesCallback, context ); context->LoadingSymbolsForProcessId = SYSTEM_PROCESS_ID; PhEnumGenericModules( SYSTEM_PROCESS_ID, NULL, 0, EnumGenericModulesCallback, context ); context->Enabled = EtpUpdateWsWatch(hwndDlg, context); if (context->Enabled) { // WS Watch is already enabled for the process. Enable updating. EnableWindow(GetDlgItem(hwndDlg, IDC_ENABLE), FALSE); ShowWindow(GetDlgItem(hwndDlg, IDC_WSWATCHENABLED), SW_SHOW); SetTimer(hwndDlg, 1, 1000, NULL); } else { // WS Watch has not yet been enabled for the process. } } break; case WM_DESTROY: { context->Destroying = TRUE; PhDereferenceObject(context->Hashtable); if (context->Buffer) { PhFree(context->Buffer); context->Buffer = NULL; } } break; case WM_COMMAND: { switch (LOWORD(wParam)) { case IDCANCEL: case IDOK: EndDialog(hwndDlg, IDOK); break; case IDC_ENABLE: { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, context->ProcessItem->ProcessId ))) { status = NtSetInformationProcess( processHandle, ProcessWorkingSetWatchEx, NULL, 0 ); NtClose(processHandle); } if (NT_SUCCESS(status)) { EnableWindow(GetDlgItem(hwndDlg, IDC_ENABLE), FALSE); ShowWindow(GetDlgItem(hwndDlg, IDC_WSWATCHENABLED), SW_SHOW); SetTimer(hwndDlg, 1, 1000, NULL); } else { PhShowStatus(hwndDlg, L"Unable to enable WS watch", status, 0); } } break; } } break; case WM_NOTIFY: { PhHandleListViewNotifyForCopy(lParam, context->ListViewHandle); } break; case WM_TIMER: { switch (wParam) { case 1: { EtpUpdateWsWatch(hwndDlg, context); } break; } } break; } return FALSE; }
INT_PTR CALLBACK EtpTpWorkerFactoryPageDlgProc( __in HWND hwndDlg, __in UINT uMsg, __in WPARAM wParam, __in LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { LPPROPSHEETPAGE propSheetPage = (LPPROPSHEETPAGE)lParam; PCOMMON_PAGE_CONTEXT context = (PCOMMON_PAGE_CONTEXT)propSheetPage->lParam; HANDLE workerFactoryHandle; if (NT_SUCCESS(EtpDuplicateHandleFromProcess(&workerFactoryHandle, WORKER_FACTORY_QUERY_INFORMATION, context))) { WORKER_FACTORY_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(NtQueryInformationWorkerFactory( workerFactoryHandle, WorkerFactoryBasicInformation, &basicInfo, sizeof(WORKER_FACTORY_BASIC_INFORMATION), NULL ))) { PPH_SYMBOL_PROVIDER symbolProvider; PPH_STRING symbol = NULL; symbolProvider = PhCreateSymbolProvider(basicInfo.ProcessId); PhLoadSymbolProviderOptions(symbolProvider); if (symbolProvider->IsRealHandle) { PhEnumGenericModules(basicInfo.ProcessId, symbolProvider->ProcessHandle, 0, EnumGenericModulesCallback, symbolProvider); symbol = PhGetSymbolFromAddress(symbolProvider, (ULONG64)basicInfo.StartRoutine, NULL, NULL, NULL, NULL); } PhDereferenceObject(symbolProvider); if (symbol) { SetDlgItemText(hwndDlg, IDC_WORKERTHREADSTART, PhaFormatString(L"Worker Thread Start: %s", symbol->Buffer)->Buffer); PhDereferenceObject(symbol); } else { SetDlgItemText(hwndDlg, IDC_WORKERTHREADSTART, PhaFormatString(L"Worker Thread Start: 0x%Ix", basicInfo.StartRoutine)->Buffer); } SetDlgItemText(hwndDlg, IDC_WORKERTHREADCONTEXT, PhaFormatString(L"Worker Thread Context: 0x%Ix", basicInfo.StartParameter)->Buffer); } NtClose(workerFactoryHandle); } } break; } return FALSE; }