PPH_STRING VirusTotalStringToTime( _In_ PPH_STRING Time ) { PPH_STRING result = NULL; SYSTEMTIME time = { 0 }; SYSTEMTIME localTime = { 0 }; swscanf( PhGetString(Time), L"%hu-%hu-%hu %hu:%hu:%hu", &time.wYear, &time.wMonth, &time.wDay, &time.wHour, &time.wMinute, &time.wSecond ); if (SystemTimeToTzSpecificLocalTime(NULL, &time, &localTime)) { result = PhFormatDateTime(&localTime); } return result; }
static PPH_STRING PhpGetStringForSelectedLogEntries( __in BOOLEAN All ) { PH_STRING_BUILDER stringBuilder; ULONG i; if (ListViewCount == 0) return PhReferenceEmptyString(); PhInitializeStringBuilder(&stringBuilder, 0x100); i = ListViewCount - 1; while (TRUE) { PPH_LOG_ENTRY entry; SYSTEMTIME systemTime; PPH_STRING temp; if (!All) { // The list view displays the items in reverse order... if (!(ListView_GetItemState(ListViewHandle, ListViewCount - i - 1, LVIS_SELECTED) & LVIS_SELECTED)) { goto ContinueLoop; } } entry = PhGetItemCircularBuffer_PVOID(&PhLogBuffer, i); if (!entry) goto ContinueLoop; PhLargeIntegerToLocalSystemTime(&systemTime, &entry->Time); temp = PhFormatDateTime(&systemTime); PhAppendStringBuilder(&stringBuilder, temp); PhDereferenceObject(temp); PhAppendStringBuilder2(&stringBuilder, L": "); temp = PhFormatLogEntry(entry); PhAppendStringBuilder(&stringBuilder, temp); PhDereferenceObject(temp); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); ContinueLoop: if (i == 0) break; i--; } return PhFinalStringBuilderString(&stringBuilder); }
INT_PTR CALLBACK PhpSessionPropertiesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { ULONG sessionId = (ULONG)lParam; WINSTATIONINFORMATION winStationInfo; BOOLEAN haveWinStationInfo; WINSTATIONCLIENT clientInfo; BOOLEAN haveClientInfo; ULONG returnLength; PWSTR stateString; SetProp(hwndDlg, L"SessionId", UlongToHandle(sessionId)); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); // Query basic session information haveWinStationInfo = WinStationQueryInformationW( NULL, sessionId, WinStationInformation, &winStationInfo, sizeof(WINSTATIONINFORMATION), &returnLength ); // Query client information haveClientInfo = WinStationQueryInformationW( NULL, sessionId, WinStationClient, &clientInfo, sizeof(WINSTATIONCLIENT), &returnLength ); if (haveWinStationInfo) { SetDlgItemText(hwndDlg, IDC_USERNAME, PhaFormatString(L"%s\\%s", winStationInfo.Domain, winStationInfo.UserName)->Buffer); } SetDlgItemInt(hwndDlg, IDC_SESSIONID, sessionId, FALSE); if (haveWinStationInfo) { if (PhFindStringSiKeyValuePairs( PhpConnectStatePairs, sizeof(PhpConnectStatePairs), winStationInfo.ConnectState, &stateString )) { SetDlgItemText(hwndDlg, IDC_STATE, stateString); } } if (haveWinStationInfo && winStationInfo.LogonTime.QuadPart != 0) { SYSTEMTIME systemTime; PPH_STRING time; PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.LogonTime); time = PhFormatDateTime(&systemTime); SetDlgItemText(hwndDlg, IDC_LOGONTIME, time->Buffer); PhDereferenceObject(time); } if (haveWinStationInfo && winStationInfo.ConnectTime.QuadPart != 0) { SYSTEMTIME systemTime; PPH_STRING time; PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.ConnectTime); time = PhFormatDateTime(&systemTime); SetDlgItemText(hwndDlg, IDC_CONNECTTIME, time->Buffer); PhDereferenceObject(time); } if (haveWinStationInfo && winStationInfo.DisconnectTime.QuadPart != 0) { SYSTEMTIME systemTime; PPH_STRING time; PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.DisconnectTime); time = PhFormatDateTime(&systemTime); SetDlgItemText(hwndDlg, IDC_DISCONNECTTIME, time->Buffer); PhDereferenceObject(time); } if (haveWinStationInfo && winStationInfo.LastInputTime.QuadPart != 0) { SYSTEMTIME systemTime; PPH_STRING time; PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.LastInputTime); time = PhFormatDateTime(&systemTime); SetDlgItemText(hwndDlg, IDC_LASTINPUTTIME, time->Buffer); PhDereferenceObject(time); } if (haveClientInfo && clientInfo.ClientName[0] != 0) { WCHAR addressString[65]; SetDlgItemText(hwndDlg, IDC_CLIENTNAME, clientInfo.ClientName); if (clientInfo.ClientAddressFamily == AF_INET6) { struct in6_addr address; ULONG i; PUSHORT in; PUSHORT out; // IPv6 is special - the client address data is a reversed version of // the real address. in = (PUSHORT)clientInfo.ClientAddress; out = (PUSHORT)address.u.Word; for (i = 8; i != 0; i--) { *out = _byteswap_ushort(*in); in++; out++; } RtlIpv6AddressToString(&address, addressString); } else { wcscpy_s(addressString, 65, clientInfo.ClientAddress); } SetDlgItemText(hwndDlg, IDC_CLIENTADDRESS, addressString); SetDlgItemText(hwndDlg, IDC_CLIENTDISPLAY, PhaFormatString(L"%ux%u@%u", clientInfo.HRes, clientInfo.VRes, clientInfo.ColorDepth)->Buffer ); } SendMessage(hwndDlg, WM_NEXTDLGCTL, (WPARAM)GetDlgItem(hwndDlg, IDOK), TRUE); } break; case WM_DESTROY: { RemoveProp(hwndDlg, L"SessionId"); } break; case WM_COMMAND: { switch (LOWORD(wParam)) { case IDCANCEL: case IDOK: EndDialog(hwndDlg, IDOK); break; } } break; } return FALSE; }
INT_PTR CALLBACK PhpLogDlgProc( __in HWND hwndDlg, __in UINT uMsg, __in WPARAM wParam, __in LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(ListViewHandle, FALSE, TRUE); PhSetControlTheme(ListViewHandle, L"explorer"); PhAddListViewColumn(ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 140, L"Time"); PhAddListViewColumn(ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 260, L"Message"); PhLoadListViewColumnsFromSetting(L"LogListViewColumns", ListViewHandle); PhInitializeLayoutManager(&WindowLayoutManager, hwndDlg); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_LIST), NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_COPY), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_SAVE), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_AUTOSCROLL), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_CLEAR), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); MinimumSize.left = 0; MinimumSize.top = 0; MinimumSize.right = 290; MinimumSize.bottom = 150; MapDialogRect(hwndDlg, &MinimumSize); PhLoadWindowPlacementFromSetting(L"LogWindowPosition", L"LogWindowSize", hwndDlg); Button_SetCheck(GetDlgItem(hwndDlg, IDC_AUTOSCROLL), BST_CHECKED); PhRegisterCallback(&PhLoggedCallback, LoggedCallback, NULL, &LoggedRegistration); PhpUpdateLogList(); ListView_EnsureVisible(ListViewHandle, ListViewCount - 1, FALSE); } break; case WM_DESTROY: { PhSaveListViewColumnsToSetting(L"LogListViewColumns", ListViewHandle); PhSaveWindowPlacementToSetting(L"LogWindowPosition", L"LogWindowSize", hwndDlg); PhDeleteLayoutManager(&WindowLayoutManager); PhUnregisterCallback(&PhLoggedCallback, &LoggedRegistration); PhUnregisterDialog(PhLogWindowHandle); PhLogWindowHandle = NULL; } break; case WM_COMMAND: { switch (LOWORD(wParam)) { case IDCANCEL: case IDOK: DestroyWindow(hwndDlg); break; case IDC_CLEAR: { PhClearLogEntries(); PhpUpdateLogList(); } break; case IDC_COPY: { PPH_STRING string; ULONG selectedCount; selectedCount = ListView_GetSelectedCount(ListViewHandle); if (selectedCount == 0) { // User didn't select anything, so copy all items. string = PhpGetStringForSelectedLogEntries(TRUE); PhSetStateAllListViewItems(ListViewHandle, LVIS_SELECTED, LVIS_SELECTED); } else { string = PhpGetStringForSelectedLogEntries(FALSE); } PhSetClipboardStringEx(hwndDlg, string->Buffer, string->Length); PhDereferenceObject(string); SetFocus(ListViewHandle); } break; case IDC_SAVE: { static PH_FILETYPE_FILTER filters[] = { { L"Text files (*.txt)", L"*.txt" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; fileDialog = PhCreateSaveFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, L"Process Hacker Log.txt"); if (PhShowFileDialog(hwndDlg, fileDialog)) { NTSTATUS status; PPH_STRING fileName; PPH_FILE_STREAM fileStream; PPH_STRING string; fileName = PhGetFileDialogFileName(fileDialog); PhaDereferenceObject(fileName); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { PhWritePhTextHeader(fileStream); string = PhpGetStringForSelectedLogEntries(TRUE); PhWriteStringAsAnsiFileStreamEx(fileStream, string->Buffer, string->Length); PhDereferenceObject(string); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case LVN_GETDISPINFO: { NMLVDISPINFO *dispInfo = (NMLVDISPINFO *)header; PPH_LOG_ENTRY entry; entry = PhGetItemCircularBuffer_PVOID(&PhLogBuffer, ListViewCount - dispInfo->item.iItem - 1); if (dispInfo->item.iSubItem == 0) { if (dispInfo->item.mask & LVIF_TEXT) { SYSTEMTIME systemTime; PPH_STRING dateTime; PhLargeIntegerToLocalSystemTime(&systemTime, &entry->Time); dateTime = PhFormatDateTime(&systemTime); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, dateTime->Buffer, _TRUNCATE); PhDereferenceObject(dateTime); } } else if (dispInfo->item.iSubItem == 1) { if (dispInfo->item.mask & LVIF_TEXT) { PPH_STRING string; string = PhFormatLogEntry(entry); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, string->Buffer, _TRUNCATE); PhDereferenceObject(string); } } } break; } } break; case WM_SIZE: { PhLayoutManagerLayout(&WindowLayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom); } break; case WM_PH_LOG_UPDATED: { PhpUpdateLogList(); } break; } return FALSE; }
BOOLEAN EtpRefreshUnloadedDlls( __in HWND hwndDlg, __in PUNLOADED_DLLS_CONTEXT Context ) { NTSTATUS status; PULONG elementSize; PULONG elementCount; PVOID eventTrace; HANDLE processHandle = NULL; ULONG eventTraceSize; ULONG capturedElementSize; ULONG capturedElementCount; PVOID capturedEventTracePointer; PVOID capturedEventTrace = NULL; ULONG i; PVOID currentEvent; HWND lvHandle; lvHandle = GetDlgItem(hwndDlg, IDC_LIST); ListView_DeleteAllItems(lvHandle); RtlGetUnloadEventTraceEx(&elementSize, &elementCount, &eventTrace); if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_VM_READ, Context->ProcessItem->ProcessId))) goto CleanupExit; // We have the pointers for the unload event trace information. // Since ntdll is loaded at the same base address across all processes, // we can read the information in. if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, elementSize, &capturedElementSize, sizeof(ULONG), NULL ))) goto CleanupExit; if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, elementCount, &capturedElementCount, sizeof(ULONG), NULL ))) goto CleanupExit; if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, eventTrace, &capturedEventTracePointer, sizeof(PVOID), NULL ))) goto CleanupExit; if (!capturedEventTracePointer) goto CleanupExit; // no events if (capturedElementCount > 0x4000) capturedElementCount = 0x4000; eventTraceSize = capturedElementSize * capturedElementCount; capturedEventTrace = PhAllocateSafe(eventTraceSize); if (!capturedEventTrace) { status = STATUS_NO_MEMORY; goto CleanupExit; } if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, capturedEventTracePointer, capturedEventTrace, eventTraceSize, NULL ))) goto CleanupExit; currentEvent = capturedEventTrace; ExtendedListView_SetRedraw(lvHandle, FALSE); for (i = 0; i < capturedElementCount; i++) { PRTL_UNLOAD_EVENT_TRACE rtlEvent = currentEvent; INT lvItemIndex; WCHAR buffer[128]; PPH_STRING string; LARGE_INTEGER time; SYSTEMTIME systemTime; if (!rtlEvent->BaseAddress) break; PhPrintUInt32(buffer, rtlEvent->Sequence); lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, buffer, rtlEvent); // Name if (PhCopyUnicodeStringZ(rtlEvent->ImageName, sizeof(rtlEvent->ImageName) / sizeof(WCHAR), buffer, sizeof(buffer) / sizeof(WCHAR), NULL)) { PhSetListViewSubItem(lvHandle, lvItemIndex, 1, buffer); } // Base Address PhPrintPointer(buffer, rtlEvent->BaseAddress); PhSetListViewSubItem(lvHandle, lvItemIndex, 2, buffer); // Size string = PhFormatSize(rtlEvent->SizeOfImage, -1); PhSetListViewSubItem(lvHandle, lvItemIndex, 3, string->Buffer); PhDereferenceObject(string); // Time Stamp RtlSecondsSince1970ToTime(rtlEvent->TimeDateStamp, &time); PhLargeIntegerToLocalSystemTime(&systemTime, &time); string = PhFormatDateTime(&systemTime); PhSetListViewSubItem(lvHandle, lvItemIndex, 4, string->Buffer); PhDereferenceObject(string); // Checksum PhPrintPointer(buffer, UlongToPtr(rtlEvent->CheckSum)); PhSetListViewSubItem(lvHandle, lvItemIndex, 5, buffer); currentEvent = PTR_ADD_OFFSET(currentEvent, capturedElementSize); } ExtendedListView_SortItems(lvHandle); ExtendedListView_SetRedraw(lvHandle, TRUE); if (Context->CapturedEventTrace) PhFree(Context->CapturedEventTrace); Context->CapturedEventTrace = capturedEventTrace; CleanupExit: if (processHandle) NtClose(processHandle); if (NT_SUCCESS(status)) { return TRUE; } else { PhShowStatus(hwndDlg, L"Unable to retrieve unload event trace information", status, 0); return FALSE; } }