PPH_LOG_ENTRY PhpCreateProcessLogEntry(
_In_ UCHAR Type,
_In_ HANDLE ProcessId,
_In_ PPH_STRING Name,
_In_opt_ HANDLE ParentProcessId,
_In_opt_ PPH_STRING ParentName
)
{
PPH_LOG_ENTRY entry;
entry = PhpCreateLogEntry(Type);
entry->Process.ProcessId = ProcessId;
PhReferenceObject(Name);
entry->Process.Name = Name;
entry->Process.ParentProcessId = ParentProcessId;
if (ParentName)
{
PhReferenceObject(ParentName);
entry->Process.ParentName = ParentName;
}
return entry;
}
VOID PhSaveSettingsColumnSet(
_In_ PWSTR SettingName,
_In_ PPH_STRING ColumnSetName,
_In_ PPH_STRING TreeListSettings,
_In_ PPH_STRING TreeSortSettings
)
{
ULONG index;
BOOLEAN found = FALSE;
PPH_LIST columnSetList;
columnSetList = PhInitializeColumnSetList(SettingName);
for (index = 0; index < columnSetList->Count; index++)
{
PPH_COLUMN_SET_ENTRY entry = columnSetList->Items[index];
if (PhEqualString(entry->Name, ColumnSetName, FALSE))
{
PhReferenceObject(TreeListSettings);
PhReferenceObject(TreeSortSettings);
PhMoveReference(&entry->Setting, TreeListSettings);
PhMoveReference(&entry->Sorting, TreeSortSettings);
found = TRUE;
break;
}
}
if (!found)
{
PPH_COLUMN_SET_ENTRY entry;
PhReferenceObject(ColumnSetName);
PhReferenceObject(TreeListSettings);
PhReferenceObject(TreeSortSettings);
entry = PhAllocate(sizeof(PH_COLUMN_SET_ENTRY));
entry->Name = ColumnSetName;
entry->Setting = TreeListSettings;
entry->Sorting = TreeSortSettings;
PhAddItemList(columnSetList, entry);
}
PhSaveSettingsColumnList(SettingName, columnSetList);
PhDeleteColumnSetList(columnSetList);
}
static BOOLEAN NTAPI EnumModulesCallback(
__in PPH_MODULE_INFO Module,
__in_opt PVOID Context
)
{
PPH_MODULE_INFO copy;
copy = PhAllocateCopy(Module, sizeof(PH_MODULE_INFO));
PhReferenceObject(copy->Name);
PhReferenceObject(copy->FileName);
PhAddItemList((PPH_LIST)Context, copy);
return TRUE;
}
static BOOLEAN NTAPI PhpHiddenProcessesCallback(
_In_ PPH_HIDDEN_PROCESS_ENTRY Process,
_In_opt_ PVOID Context
)
{
PPH_HIDDEN_PROCESS_ENTRY entry;
INT lvItemIndex;
WCHAR pidString[PH_INT32_STR_LEN_1];
entry = PhAllocateCopy(Process, sizeof(PH_HIDDEN_PROCESS_ENTRY));
if (entry->FileName)
PhReferenceObject(entry->FileName);
PhAddItemList(ProcessesList, entry);
lvItemIndex = PhAddListViewItem(PhHiddenProcessesListViewHandle, MAXINT,
PhGetStringOrDefault(entry->FileName, L"(unknown)"), entry);
PhPrintUInt32(pidString, HandleToUlong(entry->ProcessId));
PhSetListViewSubItem(PhHiddenProcessesListViewHandle, lvItemIndex, 1, pidString);
if (entry->Type == HiddenProcess)
NumberOfHiddenProcesses++;
else if (entry->Type == TerminatedProcess)
NumberOfTerminatedProcesses++;
return TRUE;
}
HRESULT CALLBACK ShowProgressCallbackProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam,
_In_ LONG_PTR dwRefData
)
{
PPH_UPDATER_CONTEXT context = (PPH_UPDATER_CONTEXT)dwRefData;
switch (uMsg)
{
case TDN_NAVIGATED:
{
SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0);
SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1);
PhReferenceObject(context);
PhQueueItemWorkQueue(PhGetGlobalWorkQueue(), UpdateDownloadThread, context);
}
break;
case TDN_HYPERLINK_CLICKED:
{
TaskDialogLinkClicked(context);
}
break;
}
return S_OK;
}
VOID PhpQueueThreadQuery(
__in PPH_THREAD_PROVIDER ThreadProvider,
__in PPH_THREAD_ITEM ThreadItem
)
{
PPH_THREAD_QUERY_DATA data;
data = PhAllocate(sizeof(PH_THREAD_QUERY_DATA));
memset(data, 0, sizeof(PH_THREAD_QUERY_DATA));
data->ThreadProvider = ThreadProvider;
data->ThreadItem = ThreadItem;
PhReferenceObject(ThreadProvider);
PhReferenceObject(ThreadItem);
PhpQueueThreadWorkQueueItem(PhpThreadQueryWorker, data);
}
HRESULT CALLBACK CheckingForUpdatesCallbackProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam,
_In_ LONG_PTR dwRefData
)
{
PPH_UPDATER_CONTEXT context = (PPH_UPDATER_CONTEXT)dwRefData;
switch (uMsg)
{
case TDN_NAVIGATED:
{
SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0);
SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1);
PhReferenceObject(context);
PhQueueItemWorkQueue(PhGetGlobalWorkQueue(), UpdateCheckThread, context);
}
break;
}
return S_OK;
}
PPH_LOG_ENTRY PhpCreateServiceLogEntry(
_In_ UCHAR Type,
_In_ PPH_STRING Name,
_In_ PPH_STRING DisplayName
)
{
PPH_LOG_ENTRY entry;
entry = PhpCreateLogEntry(Type);
PhReferenceObject(Name);
entry->Service.Name = Name;
PhReferenceObject(DisplayName);
entry->Service.DisplayName = DisplayName;
return entry;
}
PPH_THREAD_ITEM PhReferenceThreadItem(
__in PPH_THREAD_PROVIDER ThreadProvider,
__in HANDLE ThreadId
)
{
PH_THREAD_ITEM lookupThreadItem;
PPH_THREAD_ITEM lookupThreadItemPtr = &lookupThreadItem;
PPH_THREAD_ITEM *threadItemPtr;
PPH_THREAD_ITEM threadItem;
lookupThreadItem.ThreadId = ThreadId;
PhAcquireFastLockShared(&ThreadProvider->ThreadHashtableLock);
threadItemPtr = (PPH_THREAD_ITEM *)PhFindEntryHashtable(
ThreadProvider->ThreadHashtable,
&lookupThreadItemPtr
);
if (threadItemPtr)
{
threadItem = *threadItemPtr;
PhReferenceObject(threadItem);
}
else
{
threadItem = NULL;
}
PhReleaseFastLockShared(&ThreadProvider->ThreadHashtableLock);
return threadItem;
}
PET_DISK_ITEM EtReferenceDiskItem(
__in HANDLE ProcessId,
__in PPH_STRING FileName
)
{
ET_DISK_ITEM lookupDiskItem;
PET_DISK_ITEM lookupDiskItemPtr = &lookupDiskItem;
PET_DISK_ITEM *diskItemPtr;
PET_DISK_ITEM diskItem;
lookupDiskItem.ProcessId = ProcessId;
lookupDiskItem.FileName = FileName;
PhAcquireQueuedLockShared(&EtDiskHashtableLock);
diskItemPtr = (PET_DISK_ITEM *)PhFindEntryHashtable(
EtDiskHashtable,
&lookupDiskItemPtr
);
if (diskItemPtr)
{
diskItem = *diskItemPtr;
PhReferenceObject(diskItem);
}
else
{
diskItem = NULL;
}
PhReleaseQueuedLockShared(&EtDiskHashtableLock);
return diskItem;
}
PPH_STRING EtFileObjectToFileName(
__in PVOID FileObject
)
{
PH_KEY_VALUE_PAIR pair;
PPH_KEY_VALUE_PAIR realPair;
PPH_STRING fileName;
pair.Key = FileObject;
fileName = NULL;
PhAcquireQueuedLockShared(&EtFileNameHashtableLock);
realPair = PhFindEntryHashtable(EtFileNameHashtable, &pair);
if (realPair)
{
fileName = realPair->Value;
PhReferenceObject(fileName);
}
PhReleaseQueuedLockShared(&EtFileNameHashtableLock);
return fileName;
}
PPH_STRING PhFormatLogEntry(
_In_ PPH_LOG_ENTRY Entry
)
{
switch (Entry->Type)
{
case PH_LOG_ENTRY_PROCESS_CREATE:
return PhFormatString(
L"Process created: %s (%u) started by %s (%u)",
Entry->Process.Name->Buffer,
(ULONG)Entry->Process.ProcessId,
PhGetStringOrDefault(Entry->Process.ParentName, L"Unknown Process"),
(ULONG)Entry->Process.ParentProcessId
);
case PH_LOG_ENTRY_PROCESS_DELETE:
return PhFormatString(L"Process terminated: %s (%u)", Entry->Process.Name->Buffer, (ULONG)Entry->Process.ProcessId);
case PH_LOG_ENTRY_SERVICE_CREATE:
return PhFormatString(L"Service created: %s (%s)", Entry->Service.Name->Buffer, Entry->Service.DisplayName->Buffer);
case PH_LOG_ENTRY_SERVICE_DELETE:
return PhFormatString(L"Service deleted: %s (%s)", Entry->Service.Name->Buffer, Entry->Service.DisplayName->Buffer);
case PH_LOG_ENTRY_SERVICE_START:
return PhFormatString(L"Service started: %s (%s)", Entry->Service.Name->Buffer, Entry->Service.DisplayName->Buffer);
case PH_LOG_ENTRY_SERVICE_STOP:
return PhFormatString(L"Service stopped: %s (%s)", Entry->Service.Name->Buffer, Entry->Service.DisplayName->Buffer);
case PH_LOG_ENTRY_SERVICE_CONTINUE:
return PhFormatString(L"Service continued: %s (%s)", Entry->Service.Name->Buffer, Entry->Service.DisplayName->Buffer);
case PH_LOG_ENTRY_SERVICE_PAUSE:
return PhFormatString(L"Service paused: %s (%s)", Entry->Service.Name->Buffer, Entry->Service.DisplayName->Buffer);
case PH_LOG_ENTRY_MESSAGE:
PhReferenceObject(Entry->Message);
return Entry->Message;
default:
return PhReferenceEmptyString();
}
}
VOID PhShowMemoryResultsDialog(
_In_ HANDLE ProcessId,
_In_ PPH_LIST Results
)
{
HWND windowHandle;
PMEMORY_RESULTS_CONTEXT context;
ULONG i;
context = PhAllocate(sizeof(MEMORY_RESULTS_CONTEXT));
context->ProcessId = ProcessId;
context->Results = Results;
PhReferenceObject(Results);
for (i = 0; i < Results->Count; i++)
PhReferenceMemoryResult(Results->Items[i]);
windowHandle = CreateDialogParam(
PhInstanceHandle,
MAKEINTRESOURCE(IDD_MEMRESULTS),
NULL,
PhpMemoryResultsDlgProc,
(LPARAM)context
);
ShowWindow(windowHandle, SW_SHOW);
}
PPH_MODULE_ITEM PhReferenceModuleItem(
__in PPH_MODULE_PROVIDER ModuleProvider,
__in PVOID BaseAddress
)
{
PH_MODULE_ITEM lookupModuleItem;
PPH_MODULE_ITEM lookupModuleItemPtr = &lookupModuleItem;
PPH_MODULE_ITEM *moduleItemPtr;
PPH_MODULE_ITEM moduleItem;
lookupModuleItem.BaseAddress = BaseAddress;
PhAcquireFastLockShared(&ModuleProvider->ModuleHashtableLock);
moduleItemPtr = (PPH_MODULE_ITEM *)PhFindEntryHashtable(
ModuleProvider->ModuleHashtable,
&lookupModuleItemPtr
);
if (moduleItemPtr)
{
moduleItem = *moduleItemPtr;
PhReferenceObject(moduleItem);
}
else
{
moduleItem = NULL;
}
PhReleaseFastLockShared(&ModuleProvider->ModuleHashtableLock);
return moduleItem;
}
VOID PhRegisterThreadProvider(
__in PPH_THREAD_PROVIDER ThreadProvider,
__out PPH_CALLBACK_REGISTRATION CallbackRegistration
)
{
PhReferenceObject(ThreadProvider);
PhRegisterCallback(&PhProcessesUpdatedEvent, PhpThreadProviderCallbackHandler, ThreadProvider, CallbackRegistration);
}
static BOOLEAN NTAPI EnumModulesCallback(
__in PPH_MODULE_INFO Module,
__in_opt PVOID Context
)
{
PPH_STRING upperFileName;
upperFileName = PhDuplicateString(Module->FileName);
PhUpperString(upperFileName);
if (
PhFindStringInString(upperFileName, 0, SearchString->Buffer) != -1 ||
(UseSearchPointer && Module->BaseAddress == (PVOID)SearchPointer)
)
{
PPHP_OBJECT_SEARCH_RESULT searchResult;
PWSTR typeName;
switch (Module->Type)
{
case PH_MODULE_TYPE_MAPPED_FILE:
typeName = L"Mapped File";
break;
case PH_MODULE_TYPE_MAPPED_IMAGE:
typeName = L"Mapped Image";
break;
default:
typeName = L"DLL";
break;
}
searchResult = PhAllocate(sizeof(PHP_OBJECT_SEARCH_RESULT));
searchResult->ProcessId = (HANDLE)Context;
searchResult->ResultType = (Module->Type == PH_MODULE_TYPE_MAPPED_FILE || Module->Type == PH_MODULE_TYPE_MAPPED_IMAGE) ? MappedFileSearchResult : ModuleSearchResult;
searchResult->Handle = (HANDLE)Module->BaseAddress;
searchResult->TypeName = PhCreateString(typeName);
PhReferenceObject(Module->FileName);
searchResult->Name = Module->FileName;
PhPrintPointer(searchResult->HandleString, Module->BaseAddress);
memset(&searchResult->Info, 0, sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX));
PhAcquireQueuedLockExclusive(&SearchResultsLock);
PhAddItemList(SearchResults, searchResult);
// Update the search results in batches of 40.
if (SearchResults->Count % 40 == 0)
PostMessage(PhFindObjectsWindowHandle, WM_PH_SEARCH_UPDATE, 0, 0);
PhReleaseQueuedLockExclusive(&SearchResultsLock);
}
PhDereferenceObject(upperFileName);
return TRUE;
}
VOID PhpQueueModuleQuery(
__in PPH_MODULE_PROVIDER ModuleProvider,
__in PPH_MODULE_ITEM ModuleItem
)
{
PPH_MODULE_QUERY_DATA data;
if (!PhEnableProcessQueryStage2)
return;
data = PhAllocate(sizeof(PH_MODULE_QUERY_DATA));
memset(data, 0, sizeof(PH_MODULE_QUERY_DATA));
data->ModuleProvider = ModuleProvider;
data->ModuleItem = ModuleItem;
PhReferenceObject(ModuleProvider);
PhReferenceObject(ModuleItem);
PhQueueItemGlobalWorkQueue(PhpModuleQueryWorker, data);
}
static VOID NTAPI ThreadAddedHandler(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_THREADS_CONTEXT threadsContext = (PPH_THREADS_CONTEXT)Context;
// Parameter contains a pointer to the added thread item.
PhReferenceObject(Parameter);
PhPushProviderEventQueue(&threadsContext->EventQueue, ProviderAddedEvent, Parameter, (ULONG)threadsContext->Provider->RunId);
}
PPH_LOG_ENTRY PhpCreateMessageLogEntry(
_In_ UCHAR Type,
_In_ PPH_STRING Message
)
{
PPH_LOG_ENTRY entry;
entry = PhpCreateLogEntry(Type);
PhReferenceObject(Message);
entry->Message = Message;
return entry;
}
PPH_THREAD_PROVIDER PhCreateThreadProvider(
__in HANDLE ProcessId
)
{
PPH_THREAD_PROVIDER threadProvider;
if (!NT_SUCCESS(PhCreateObject(
&threadProvider,
sizeof(PH_THREAD_PROVIDER),
0,
PhThreadProviderType
)))
return NULL;
threadProvider->ThreadHashtable = PhCreateHashtable(
sizeof(PPH_THREAD_ITEM),
PhpThreadHashtableCompareFunction,
PhpThreadHashtableHashFunction,
20
);
PhInitializeFastLock(&threadProvider->ThreadHashtableLock);
PhInitializeCallback(&threadProvider->ThreadAddedEvent);
PhInitializeCallback(&threadProvider->ThreadModifiedEvent);
PhInitializeCallback(&threadProvider->ThreadRemovedEvent);
PhInitializeCallback(&threadProvider->UpdatedEvent);
PhInitializeCallback(&threadProvider->LoadingStateChangedEvent);
threadProvider->ProcessId = ProcessId;
threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId);
if (threadProvider->SymbolProvider)
{
if (threadProvider->SymbolProvider->IsRealHandle)
threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle;
}
PhInitializeEvent(&threadProvider->SymbolsLoadedEvent);
threadProvider->SymbolsLoading = 0;
RtlInitializeSListHead(&threadProvider->QueryListHead);
threadProvider->RunId = 1;
// Begin loading symbols for the process' modules.
PhReferenceObject(threadProvider);
PhpQueueThreadWorkQueueItem(PhpThreadProviderLoadSymbols, threadProvider);
return threadProvider;
}
VOID PkAppendAddToActionList(
__in PPK_ACTION_LIST List,
__in ULONG Flags,
__in PPH_STRING Destination,
__in_opt PVOID Context
)
{
PK_ACTION action;
PhReferenceObject(Destination);
action.Type = PkAddType;
action.u.Add.Flags = Flags;
action.u.Add.Destination = Destination;
action.Context = Context;
PkpAddToActionList(List, &action);
}
INT CALLBACK EtpCommonPropPageProc(
__in HWND hwnd,
__in UINT uMsg,
__in LPPROPSHEETPAGE ppsp
)
{
PCOMMON_PAGE_CONTEXT pageContext;
pageContext = (PCOMMON_PAGE_CONTEXT)ppsp->lParam;
if (uMsg == PSPCB_ADDREF)
PhReferenceObject(pageContext);
else if (uMsg == PSPCB_RELEASE)
PhDereferenceObject(pageContext);
return 1;
}
PPH_HANDLE_ITEM PhReferenceHandleItem(
_In_ PPH_HANDLE_PROVIDER HandleProvider,
_In_ HANDLE Handle
)
{
PPH_HANDLE_ITEM handleItem;
PhAcquireQueuedLockShared(&HandleProvider->HandleHashSetLock);
handleItem = PhpLookupHandleItem(HandleProvider, Handle);
if (handleItem)
PhReferenceObject(handleItem);
PhReleaseQueuedLockShared(&HandleProvider->HandleHashSetLock);
return handleItem;
}
static VOID CopyCounterList(
_Inout_ PPH_LIST Destination,
_In_ PPH_LIST Source
)
{
for (ULONG i = 0; i < Source->Count; i++)
{
PPH_PERFMON_ENTRY entry = (PPH_PERFMON_ENTRY)Source->Items[i];
PPH_PERFMON_ENTRY newEntry;
newEntry = (PPH_PERFMON_ENTRY)PhAllocate(sizeof(PH_PERFMON_ENTRY));
memset(newEntry, 0, sizeof(PH_PERFMON_ENTRY));
PhReferenceObject(entry->Name);
newEntry->Name = entry->Name;
PhAddItemList(Destination, newEntry);
}
}
VOID CopyFilterList(
_Inout_ PPH_LIST Destination,
_In_ PPH_LIST Source
)
{
ULONG i;
for (i = 0; i < Source->Count; i++)
{
PFILTER_ENTRY entry = Source->Items[i];
PFILTER_ENTRY newEntry;
newEntry = PhAllocate(sizeof(FILTER_ENTRY));
newEntry->Type = entry->Type;
newEntry->Filter = entry->Filter;
PhReferenceObject(newEntry->Filter);
PhAddItemList(Destination, newEntry);
}
}
INT CALLBACK PhpJobPropPageProc(
__in HWND hwnd,
__in UINT uMsg,
__in LPPROPSHEETPAGE ppsp
)
{
PJOB_PAGE_CONTEXT jobPageContext;
jobPageContext = (PJOB_PAGE_CONTEXT)ppsp->lParam;
if (uMsg == PSPCB_ADDREF)
{
PhReferenceObject(jobPageContext);
}
else if (uMsg == PSPCB_RELEASE)
{
PhDereferenceObject(jobPageContext);
}
return 1;
}
PVIRUSTOTAL_FILE_HASH_ENTRY VirusTotalAddCacheResult(
_In_ PPH_STRING FileName,
_In_ PPROCESS_EXTENSION Extension
)
{
PVIRUSTOTAL_FILE_HASH_ENTRY result;
result = PhAllocate(sizeof(VIRUSTOTAL_FILE_HASH_ENTRY));
memset(result, 0, sizeof(VIRUSTOTAL_FILE_HASH_ENTRY));
PhReferenceObject(FileName);
result->FileName = FileName;
result->FileNameAnsi = PhConvertUtf16ToMultiByte(PhGetString(FileName));
result->Extension = Extension;
PhAcquireQueuedLockExclusive(&ProcessListLock);
PhAddItemList(VirusTotalList, result);
PhReleaseQueuedLockExclusive(&ProcessListLock);
return result;
}
VOID PhpAddProcessItemService(
_In_ PPH_PROCESS_ITEM ProcessItem,
_In_ PPH_SERVICE_ITEM ServiceItem
)
{
PhAcquireQueuedLockExclusive(&ProcessItem->ServiceListLock);
if (!ProcessItem->ServiceList)
ProcessItem->ServiceList = PhCreatePointerList(2);
if (!PhFindItemPointerList(ProcessItem->ServiceList, ServiceItem))
{
PhReferenceObject(ServiceItem);
PhAddItemPointerList(ProcessItem->ServiceList, ServiceItem);
}
PhReleaseQueuedLockExclusive(&ProcessItem->ServiceListLock);
ServiceItem->PendingProcess = FALSE;
ProcessItem->JustProcessed = 1;
}
PPH_SERVICE_ITEM PhReferenceServiceItem(
_In_ PWSTR Name
)
{
PPH_SERVICE_ITEM serviceItem;
PH_STRINGREF key;
// Construct a temporary service item for the lookup.
PhInitializeStringRef(&key, Name);
PhAcquireQueuedLockShared(&PhServiceHashtableLock);
serviceItem = PhpLookupServiceItem(&key);
if (serviceItem)
PhReferenceObject(serviceItem);
PhReleaseQueuedLockShared(&PhServiceHashtableLock);
return serviceItem;
}
PPH_STRING EtGetGpuAdapterDescription(
_In_ ULONG Index
)
{
PPH_STRING description;
if (Index >= EtpGpuAdapterList->Count)
return NULL;
description = ((PETP_GPU_ADAPTER)EtpGpuAdapterList->Items[Index])->Description;
if (description)
{
PhReferenceObject(description);
return description;
}
else
{
return NULL;
}
}