PPH_MODULE_ITEM PhReferenceModuleItem(
__in PPH_MODULE_PROVIDER ModuleProvider,
__in PVOID BaseAddress
)
{
PH_MODULE_ITEM lookupModuleItem;
PPH_MODULE_ITEM lookupModuleItemPtr = &lookupModuleItem;
PPH_MODULE_ITEM *moduleItemPtr;
PPH_MODULE_ITEM moduleItem;
lookupModuleItem.BaseAddress = BaseAddress;
PhAcquireFastLockShared(&ModuleProvider->ModuleHashtableLock);
moduleItemPtr = (PPH_MODULE_ITEM *)PhFindEntryHashtable(
ModuleProvider->ModuleHashtable,
&lookupModuleItemPtr
);
if (moduleItemPtr)
{
moduleItem = *moduleItemPtr;
PhReferenceObject(moduleItem);
}
else
{
moduleItem = NULL;
}
PhReleaseFastLockShared(&ModuleProvider->ModuleHashtableLock);
return moduleItem;
}
PPH_STRING EtFileObjectToFileName(
__in PVOID FileObject
)
{
PH_KEY_VALUE_PAIR pair;
PPH_KEY_VALUE_PAIR realPair;
PPH_STRING fileName;
pair.Key = FileObject;
fileName = NULL;
PhAcquireQueuedLockShared(&EtFileNameHashtableLock);
realPair = PhFindEntryHashtable(EtFileNameHashtable, &pair);
if (realPair)
{
fileName = realPair->Value;
PhReferenceObject(fileName);
}
PhReleaseQueuedLockShared(&EtFileNameHashtableLock);
return fileName;
}
PET_DISK_ITEM EtReferenceDiskItem(
__in HANDLE ProcessId,
__in PPH_STRING FileName
)
{
ET_DISK_ITEM lookupDiskItem;
PET_DISK_ITEM lookupDiskItemPtr = &lookupDiskItem;
PET_DISK_ITEM *diskItemPtr;
PET_DISK_ITEM diskItem;
lookupDiskItem.ProcessId = ProcessId;
lookupDiskItem.FileName = FileName;
PhAcquireQueuedLockShared(&EtDiskHashtableLock);
diskItemPtr = (PET_DISK_ITEM *)PhFindEntryHashtable(
EtDiskHashtable,
&lookupDiskItemPtr
);
if (diskItemPtr)
{
diskItem = *diskItemPtr;
PhReferenceObject(diskItem);
}
else
{
diskItem = NULL;
}
PhReleaseQueuedLockShared(&EtDiskHashtableLock);
return diskItem;
}
PPH_THREAD_ITEM PhReferenceThreadItem(
__in PPH_THREAD_PROVIDER ThreadProvider,
__in HANDLE ThreadId
)
{
PH_THREAD_ITEM lookupThreadItem;
PPH_THREAD_ITEM lookupThreadItemPtr = &lookupThreadItem;
PPH_THREAD_ITEM *threadItemPtr;
PPH_THREAD_ITEM threadItem;
lookupThreadItem.ThreadId = ThreadId;
PhAcquireFastLockShared(&ThreadProvider->ThreadHashtableLock);
threadItemPtr = (PPH_THREAD_ITEM *)PhFindEntryHashtable(
ThreadProvider->ThreadHashtable,
&lookupThreadItemPtr
);
if (threadItemPtr)
{
threadItem = *threadItemPtr;
PhReferenceObject(threadItem);
}
else
{
threadItem = NULL;
}
PhReleaseFastLockShared(&ThreadProvider->ThreadHashtableLock);
return threadItem;
}
PET_DISK_ITEM EtReferenceDiskItem(
_In_ HANDLE ProcessId,
_In_ PPH_STRING FileName
)
{
ET_DISK_ITEM lookupDiskItem;
PET_DISK_ITEM lookupDiskItemPtr = &lookupDiskItem;
PET_DISK_ITEM *diskItemPtr;
PET_DISK_ITEM diskItem;
lookupDiskItem.ProcessId = ProcessId;
lookupDiskItem.FileName = FileName;
PhAcquireQueuedLockShared(&EtDiskHashtableLock);
diskItemPtr = (PET_DISK_ITEM *)PhFindEntryHashtable(
EtDiskHashtable,
&lookupDiskItemPtr
);
if (diskItemPtr)
PhSetReference(&diskItem, *diskItemPtr);
else
diskItem = NULL;
PhReleaseQueuedLockShared(&EtDiskHashtableLock);
return diskItem;
}
static PVOID PhpLookupSetting(
_In_ PPH_STRINGREF Name
)
{
PH_SETTING lookupSetting;
PPH_SETTING setting;
lookupSetting.Name = *Name;
setting = (PPH_SETTING)PhFindEntryHashtable(
PhSettingsHashtable,
&lookupSetting
);
return setting;
}
PPH_SERVICE_ITEM PhpLookupServiceItem(
_In_ PPH_STRINGREF Name
)
{
PH_SERVICE_ITEM lookupServiceItem;
PPH_SERVICE_ITEM lookupServiceItemPtr = &lookupServiceItem;
PPH_SERVICE_ITEM *serviceItem;
lookupServiceItem.Key = *Name;
serviceItem = (PPH_SERVICE_ITEM *)PhFindEntryHashtable(
PhServiceHashtable,
&lookupServiceItemPtr
);
if (serviceItem)
return *serviceItem;
else
return NULL;
}
PDB_OBJECT FindDbObject(
_In_ ULONG Tag,
_In_ PPH_STRINGREF Name
)
{
DB_OBJECT lookupObject;
PDB_OBJECT lookupObjectPtr;
PDB_OBJECT *objectPtr;
lookupObject.Tag = Tag;
lookupObject.Key = *Name;
lookupObjectPtr = &lookupObject;
objectPtr = PhFindEntryHashtable(ObjectDb, &lookupObjectPtr);
if (objectPtr)
return *objectPtr;
else
return NULL;
}
VOID NTAPI GetProcessTooltipTextCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PPH_PLUGIN_GET_TOOLTIP_TEXT getTooltipText = Parameter;
BOXED_PROCESS lookupBoxedProcess;
PBOXED_PROCESS boxedProcess;
PhAcquireQueuedLockShared(&BoxedProcessesLock);
lookupBoxedProcess.ProcessId = ((PPH_PROCESS_ITEM)getTooltipText->Parameter)->ProcessId;
if (boxedProcess = PhFindEntryHashtable(BoxedProcessesHashtable, &lookupBoxedProcess))
{
PhAppendFormatStringBuilder(getTooltipText->StringBuilder, L"Sandboxie:\n Box name: %s\n", boxedProcess->BoxName);
}
PhReleaseQueuedLockShared(&BoxedProcessesLock);
}
VOID EtDiskProcessFileEvent(
__in PET_ETW_FILE_EVENT Event
)
{
PH_KEY_VALUE_PAIR pair;
PPH_KEY_VALUE_PAIR realPair;
if (!EtDiskEnabled)
return;
if (Event->Type == EtEtwFileCreateType || Event->Type == EtEtwFileRundownType)
{
pair.Key = Event->FileObject;
pair.Value = NULL;
PhAcquireQueuedLockExclusive(&EtFileNameHashtableLock);
realPair = PhAddEntryHashtableEx(EtFileNameHashtable, &pair, NULL);
PhSwapReference2(&realPair->Value, PhCreateStringEx(Event->FileName.Buffer, Event->FileName.Length));
PhReleaseQueuedLockExclusive(&EtFileNameHashtableLock);
}
else if (Event->Type == EtEtwFileDeleteType)
{
pair.Key = Event->FileObject;
PhAcquireQueuedLockExclusive(&EtFileNameHashtableLock);
realPair = PhFindEntryHashtable(EtFileNameHashtable, &pair);
if (realPair)
{
PhDereferenceObject(realPair->Value);
PhRemoveEntryHashtable(EtFileNameHashtable, &pair);
}
PhReleaseQueuedLockExclusive(&EtFileNameHashtableLock);
}
}
VOID NTAPI GetProcessHighlightingColorCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PPH_PLUGIN_GET_HIGHLIGHTING_COLOR getHighlightingColor = Parameter;
BOXED_PROCESS lookupBoxedProcess;
PBOXED_PROCESS boxedProcess;
PhAcquireQueuedLockShared(&BoxedProcessesLock);
lookupBoxedProcess.ProcessId = ((PPH_PROCESS_ITEM)getHighlightingColor->Parameter)->ProcessId;
if (boxedProcess = PhFindEntryHashtable(BoxedProcessesHashtable, &lookupBoxedProcess))
{
getHighlightingColor->BackColor = RGB(0x33, 0x33, 0x00);
getHighlightingColor->Cache = TRUE;
getHighlightingColor->Handled = TRUE;
}
PhReleaseQueuedLockShared(&BoxedProcessesLock);
}
