static VOID PhpFreeThreadStackItem(
_In_ PTHREAD_STACK_ITEM StackItem
)
{
PhSwapReference(&StackItem->Symbol, NULL);
PhFree(StackItem);
}
static BOOLEAN NTAPI FiCommandLineCallback(
_In_opt_ PPH_COMMAND_LINE_OPTION Option,
_In_opt_ PPH_STRING Value,
_In_opt_ PVOID Context
)
{
if (Option)
{
switch (Option->Id)
{
case FI_ARG_HELP:
FiArgHelp = TRUE;
break;
case FI_ARG_ACTION:
PhSwapReference(&FiArgAction, Value);
break;
case FI_ARG_NATIVE:
FiArgNative = TRUE;
break;
case FI_ARG_PATTERN:
PhSwapReference(&FiArgPattern, Value);
break;
case FI_ARG_CASESENSITIVE:
FiArgCaseSensitive = TRUE;
break;
case FI_ARG_OUTPUT:
PhSwapReference(&FiArgOutput, Value);
break;
case FI_ARG_FORCE:
FiArgForce = TRUE;
break;
case FI_ARG_LENGTH:
PhStringToInteger64(&Value->sr, 0, (PLONG64)&FiArgLength);
break;
}
}
else
{
if (!FiArgAction)
PhSwapReference(&FiArgAction, Value);
else if (!FiArgFileName)
PhSwapReference(&FiArgFileName, Value);
}
return TRUE;
}
BOOLEAN CreateDirectoryPath(_In_ PWSTR DirPath)
{
BOOLEAN success = FALSE;
PPH_STRING dirPathString = NULL;
PWSTR dirPathDup = NULL;
if (RtlDoesFileExists_U(DirPath))
return TRUE;
if ((dirPathDup = PhDuplicateStringZ(DirPath)) == NULL)
goto CleanupExit;
for (PWSTR path = _wcstok(dirPathDup, L"\\"); path; path = _wcstok(NULL, L"\\"))
{
if (!dirPathString)
dirPathString = PhCreateString(path);
else
{
PPH_STRING tempPathString;
tempPathString = PhConcatStrings(
3,
dirPathString->Buffer,
L"\\",
path
);
if (!RtlDoesFileExists_U(PhGetString(tempPathString)))
{
if (!CreateDirectory(PhGetString(tempPathString), NULL))
{
PhDereferenceObject(tempPathString);
goto CleanupExit;
}
}
PhSwapReference(&dirPathString, tempPathString);
PhDereferenceObject(tempPathString);
}
}
success = TRUE;
CleanupExit:
if (dirPathString)
{
PhDereferenceObject(dirPathString);
}
if (dirPathDup)
{
PhFree(dirPathDup);
}
return success;
}
static BOOLEAN NTAPI BeCommandLineCallback(
_In_opt_ PPH_COMMAND_LINE_OPTION Option,
_In_opt_ PPH_STRING Value,
_In_opt_ PVOID Context
)
{
if (!Option)
PhSwapReference(&BeFileName, Value);
return TRUE;
}
NTSTATUS PhpSymbolCallbackWorker(
_In_ PVOID Parameter
)
{
PPH_SYMBOL_EVENT_DATA data = Parameter;
dprintf("symbol event %d: %S\n", data->Type, data->FileName->Buffer);
PhInvokeCallback(&data->SymbolProvider->EventCallback, data);
PhSwapReference(&data->FileName, NULL);
PhDereferenceObject(data);
return STATUS_SUCCESS;
}
VOID EtDeleteNetworkBlock(
__in PET_NETWORK_BLOCK Block
)
{
ULONG i;
for (i = 1; i <= ETNETNC_MAXIMUM; i++)
{
PhSwapReference(&Block->TextCache[i], NULL);
}
RemoveEntryList(&Block->ListEntry);
}
static BOOLEAN NTAPI PhpSvchostCommandLineCallback(
__in_opt PPH_COMMAND_LINE_OPTION Option,
__in_opt PPH_STRING Value,
__in_opt PVOID Context
)
{
PPH_KNOWN_PROCESS_COMMAND_LINE knownCommandLine = Context;
if (Option && Option->Id == 1)
{
PhSwapReference(&knownCommandLine->ServiceHost.GroupName, Value);
}
return TRUE;
}
VOID EtDeleteProcessBlock(
__in PET_PROCESS_BLOCK Block
)
{
ULONG i;
EtProcIconNotifyProcessDelete(Block);
for (i = 1; i <= ETPRTNC_MAXIMUM; i++)
{
PhSwapReference(&Block->TextCache[i], NULL);
}
RemoveEntryList(&Block->ListEntry);
}
PDB_OBJECT CreateDbObject(
_In_ ULONG Tag,
_In_ PPH_STRINGREF Name,
_In_opt_ PPH_STRING Comment
)
{
PDB_OBJECT object;
BOOLEAN added;
PDB_OBJECT *realObject;
object = PhAllocate(sizeof(DB_OBJECT));
memset(object, 0, sizeof(DB_OBJECT));
object->Tag = Tag;
object->Key = *Name;
object->BackColor = ULONG_MAX;
realObject = PhAddEntryHashtableEx(ObjectDb, &object, &added);
if (added)
{
object->Name = PhCreateStringEx(Name->Buffer, Name->Length);
object->Key = object->Name->sr;
if (Comment)
PhSetReference(&object->Comment, Comment);
else
object->Comment = PhReferenceEmptyString();
}
else
{
PhFree(object);
object = *realObject;
if (Comment)
PhSwapReference(&object->Comment, Comment);
}
return object;
}
INT_PTR CALLBACK DotNetAsmPageDlgProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
LPPROPSHEETPAGE propSheetPage;
PPH_PROCESS_PROPPAGECONTEXT propPageContext;
PPH_PROCESS_ITEM processItem;
PASMPAGE_CONTEXT context;
if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext, &processItem))
{
context = propPageContext->Context;
}
else
{
return FALSE;
}
switch (uMsg)
{
case WM_INITDIALOG:
{
PPH_STRING settings;
HWND tnHandle;
context = PhAllocate(sizeof(ASMPAGE_CONTEXT));
memset(context, 0, sizeof(ASMPAGE_CONTEXT));
propPageContext->Context = context;
context->WindowHandle = hwndDlg;
context->ProcessItem = processItem;
context->ClrVersions = 0;
PhGetProcessIsDotNetEx(processItem->ProcessId, NULL, 0, NULL, &context->ClrVersions);
tnHandle = GetDlgItem(hwndDlg, IDC_LIST);
context->TnHandle = tnHandle;
TreeNew_SetCallback(tnHandle, DotNetAsmTreeNewCallback, context);
TreeNew_SetExtendedFlags(tnHandle, TN_FLAG_ITEM_DRAG_SELECT, TN_FLAG_ITEM_DRAG_SELECT);
PhSetControlTheme(tnHandle, L"explorer");
SendMessage(TreeNew_GetTooltips(tnHandle), TTM_SETMAXTIPWIDTH, 0, MAXSHORT);
PhAddTreeNewColumn(tnHandle, DNATNC_STRUCTURE, TRUE, L"Structure", 240, PH_ALIGN_LEFT, -2, 0);
PhAddTreeNewColumn(tnHandle, DNATNC_ID, TRUE, L"ID", 50, PH_ALIGN_RIGHT, 0, DT_RIGHT);
PhAddTreeNewColumn(tnHandle, DNATNC_FLAGS, TRUE, L"Flags", 120, PH_ALIGN_LEFT, 1, 0);
PhAddTreeNewColumn(tnHandle, DNATNC_PATH, TRUE, L"Path", 600, PH_ALIGN_LEFT, 2, 0); // don't use path ellipsis - the user already has the base file name
PhAddTreeNewColumn(tnHandle, DNATNC_NATIVEPATH, TRUE, L"Native image path", 600, PH_ALIGN_LEFT, 3, 0);
settings = PhGetStringSetting(SETTING_NAME_ASM_TREE_LIST_COLUMNS);
PhCmLoadSettings(tnHandle, &settings->sr);
PhDereferenceObject(settings);
PhSwapReference(&context->TnErrorMessage, PhCreateString(L"Loading .NET assemblies..."));
TreeNew_SetEmptyText(tnHandle, &context->TnErrorMessage->sr, 0);
if (
!IsProcessSuspended(processItem->ProcessId) ||
PhShowMessage(hwndDlg, MB_ICONWARNING | MB_YESNO, L".NET assembly enumeration may not work properly because the process is currently suspended. Do you want to continue?") == IDYES
)
{
CreateDotNetTraceQueryThread(
hwndDlg,
context->ClrVersions,
processItem->ProcessId
);
}
else
{
PhSwapReference(&context->TnErrorMessage,
PhCreateString(L"Unable to start the event tracing session because the process is suspended.")
);
TreeNew_SetEmptyText(tnHandle, &context->TnErrorMessage->sr, 0);
InvalidateRect(tnHandle, NULL, FALSE);
}
}
break;
case WM_DESTROY:
{
PPH_STRING settings;
ULONG i;
settings = PhCmSaveSettings(context->TnHandle);
PhSetStringSetting2(SETTING_NAME_ASM_TREE_LIST_COLUMNS, &settings->sr);
PhDereferenceObject(settings);
if (context->NodeList)
{
for (i = 0; i < context->NodeList->Count; i++)
DestroyNode(context->NodeList->Items[i]);
PhDereferenceObject(context->NodeList);
}
if (context->NodeRootList)
PhDereferenceObject(context->NodeRootList);
PhClearReference(&context->TnErrorMessage);
PhFree(context);
PhPropPageDlgProcDestroy(hwndDlg);
}
break;
case WM_SHOWWINDOW:
{
PPH_LAYOUT_ITEM dialogItem;
if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext))
{
PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_LIST), dialogItem, PH_ANCHOR_ALL);
PhEndPropPageLayout(hwndDlg, propPageContext);
}
}
break;
case WM_COMMAND:
{
switch (LOWORD(wParam))
{
case ID_COPY:
{
PPH_STRING text;
text = PhGetTreeNewText(context->TnHandle, 0);
PhSetClipboardString(context->TnHandle, &text->sr);
PhDereferenceObject(text);
}
break;
}
}
break;
case UPDATE_MSG:
{
ULONG result = (ULONG)wParam;
PASMPAGE_QUERY_CONTEXT queryContext = (PASMPAGE_QUERY_CONTEXT)lParam;
if (result == 0)
{
PhSwapReference(&context->NodeList, queryContext->NodeList);
PhSwapReference(&context->NodeRootList, queryContext->NodeRootList);
DestroyDotNetTraceQuery(queryContext);
TreeNew_NodesStructured(context->TnHandle);
}
else
{
PhSwapReference(&context->TnErrorMessage,
PhConcatStrings2(L"Unable to start the event tracing session: ", PhGetStringOrDefault(PhGetWin32Message(result), L"Unknown error"))
);
TreeNew_SetEmptyText(context->TnHandle, &context->TnErrorMessage->sr, 0);
InvalidateRect(context->TnHandle, NULL, FALSE);
}
}
break;
}
return FALSE;
}
BOOLEAN NTAPI PhpCommandLineOptionCallback(
_In_opt_ PPH_COMMAND_LINE_OPTION Option,
_In_opt_ PPH_STRING Value,
_In_opt_ PVOID Context
)
{
ULONG64 integer;
if (Option)
{
switch (Option->Id)
{
case PH_ARG_SETTINGS:
PhSwapReference(&PhStartupParameters.SettingsFileName, Value);
break;
case PH_ARG_NOSETTINGS:
PhStartupParameters.NoSettings = TRUE;
break;
case PH_ARG_SHOWVISIBLE:
PhStartupParameters.ShowVisible = TRUE;
break;
case PH_ARG_SHOWHIDDEN:
PhStartupParameters.ShowHidden = TRUE;
break;
case PH_ARG_COMMANDMODE:
PhStartupParameters.CommandMode = TRUE;
break;
case PH_ARG_COMMANDTYPE:
PhSwapReference(&PhStartupParameters.CommandType, Value);
break;
case PH_ARG_COMMANDOBJECT:
PhSwapReference(&PhStartupParameters.CommandObject, Value);
break;
case PH_ARG_COMMANDACTION:
PhSwapReference(&PhStartupParameters.CommandAction, Value);
break;
case PH_ARG_COMMANDVALUE:
PhSwapReference(&PhStartupParameters.CommandValue, Value);
break;
case PH_ARG_RUNASSERVICEMODE:
PhSwapReference(&PhStartupParameters.RunAsServiceMode, Value);
break;
case PH_ARG_NOKPH:
PhStartupParameters.NoKph = TRUE;
break;
case PH_ARG_INSTALLKPH:
PhStartupParameters.InstallKph = TRUE;
break;
case PH_ARG_UNINSTALLKPH:
PhStartupParameters.UninstallKph = TRUE;
break;
case PH_ARG_DEBUG:
PhStartupParameters.Debug = TRUE;
break;
case PH_ARG_HWND:
if (PhStringToInteger64(&Value->sr, 16, &integer))
PhStartupParameters.WindowHandle = (HWND)(ULONG_PTR)integer;
break;
case PH_ARG_POINT:
{
PH_STRINGREF xString;
PH_STRINGREF yString;
if (PhSplitStringRefAtChar(&Value->sr, ',', &xString, &yString))
{
LONG64 x;
LONG64 y;
if (PhStringToInteger64(&xString, 10, &x) && PhStringToInteger64(&yString, 10, &y))
{
PhStartupParameters.Point.x = (LONG)x;
PhStartupParameters.Point.y = (LONG)y;
}
}
}
break;
case PH_ARG_SHOWOPTIONS:
PhStartupParameters.ShowOptions = TRUE;
break;
case PH_ARG_PHSVC:
PhStartupParameters.PhSvc = TRUE;
break;
case PH_ARG_NOPLUGINS:
PhStartupParameters.NoPlugins = TRUE;
break;
case PH_ARG_NEWINSTANCE:
PhStartupParameters.NewInstance = TRUE;
break;
case PH_ARG_ELEVATE:
PhStartupParameters.Elevate = TRUE;
break;
case PH_ARG_SILENT:
PhStartupParameters.Silent = TRUE;
break;
case PH_ARG_HELP:
PhStartupParameters.Help = TRUE;
break;
case PH_ARG_SELECTPID:
if (PhStringToInteger64(&Value->sr, 0, &integer))
PhStartupParameters.SelectPid = (ULONG)integer;
break;
case PH_ARG_PRIORITY:
if (PhEqualString2(Value, L"r", TRUE))
PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_REALTIME;
else if (PhEqualString2(Value, L"h", TRUE))
PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_HIGH;
else if (PhEqualString2(Value, L"n", TRUE))
PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_NORMAL;
else if (PhEqualString2(Value, L"l", TRUE))
PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_IDLE;
break;
case PH_ARG_PLUGIN:
if (!PhStartupParameters.PluginParameters)
PhStartupParameters.PluginParameters = PhCreateList(3);
PhReferenceObject(Value);
PhAddItemList(PhStartupParameters.PluginParameters, Value);
break;
case PH_ARG_SELECTTAB:
PhSwapReference(&PhStartupParameters.SelectTab, Value);
break;
}
}
else
{
PPH_STRING upperValue;
upperValue = PhDuplicateString(Value);
_wcsupr(upperValue->Buffer);
if (PhFindStringInString(upperValue, 0, L"TASKMGR.EXE") != -1)
{
// User probably has Process Hacker replacing Task Manager. Force
// the main window to start visible.
PhStartupParameters.ShowVisible = TRUE;
}
PhDereferenceObject(upperValue);
}
return TRUE;
}
VOID ProcessesUpdatedCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
static ULONG ProcessesUpdatedCount = 0;
PLIST_ENTRY listEntry;
if (!VirusTotalScanningEnabled)
return;
if (ProcessesUpdatedCount < 2)
{
ProcessesUpdatedCount++;
return;
}
listEntry = ProcessListHead.Flink;
while (listEntry != &ProcessListHead)
{
PPROCESS_EXTENSION extension;
PPH_STRING filePath = NULL;
extension = CONTAINING_RECORD(listEntry, PROCESS_EXTENSION, ListEntry);
if (extension->ProcessItem)
{
filePath = extension->ProcessItem->FileName;
}
else if (extension->ModuleItem)
{
filePath = extension->ModuleItem->FileName;
}
else if (extension->ServiceItem)
{
if (extension->FilePath)
{
filePath = extension->FilePath;
}
else
{
PPH_STRING serviceFileName = NULL;
PPH_STRING serviceBinaryPath = NULL;
if (NT_SUCCESS(QueryServiceFileName(
&extension->ServiceItem->Name->sr,
&serviceFileName,
&serviceBinaryPath
)))
{
PhMoveReference(&extension->FilePath, serviceFileName);
if (serviceBinaryPath) PhDereferenceObject(serviceBinaryPath);
}
filePath = extension->FilePath;
}
}
if (!PhIsNullOrEmptyString(filePath))
{
if (!extension->ResultValid)
{
PPROCESS_DB_OBJECT object;
if (object = FindProcessDbObject(&filePath->sr))
{
extension->Stage1 = TRUE;
extension->ResultValid = TRUE;
extension->Positives = object->Positives;
PhSwapReference(&extension->VirusTotalResult, object->Result);
}
}
if (!extension->Stage1)
{
if (!VirusTotalGetCachedResult(filePath))
{
VirusTotalAddCacheResult(filePath, extension);
}
extension->Stage1 = TRUE;
}
}
listEntry = listEntry->Flink;
}
}
VOID SetDbPath(
_In_ PPH_STRING Path
)
{
PhSwapReference(&ObjectDbPath, Path);
}
VOID PhShowMemoryEditorDialog(
_In_ HANDLE ProcessId,
_In_ PVOID BaseAddress,
_In_ SIZE_T RegionSize,
_In_ ULONG SelectOffset,
_In_ ULONG SelectLength,
_In_opt_ PPH_STRING Title,
_In_ ULONG Flags
)
{
PMEMORY_EDITOR_CONTEXT context;
MEMORY_EDITOR_CONTEXT lookupContext;
PPH_AVL_LINKS links;
lookupContext.ProcessId = ProcessId;
lookupContext.BaseAddress = BaseAddress;
lookupContext.RegionSize = RegionSize;
links = PhFindElementAvlTree(&PhMemoryEditorSet, &lookupContext.Links);
if (!links)
{
context = PhAllocate(sizeof(MEMORY_EDITOR_CONTEXT));
memset(context, 0, sizeof(MEMORY_EDITOR_CONTEXT));
context->ProcessId = ProcessId;
context->BaseAddress = BaseAddress;
context->RegionSize = RegionSize;
context->SelectOffset = SelectOffset;
PhSwapReference(&context->Title, Title);
context->Flags = Flags;
context->WindowHandle = CreateDialogParam(
PhInstanceHandle,
MAKEINTRESOURCE(IDD_MEMEDIT),
NULL,
PhpMemoryEditorDlgProc,
(LPARAM)context
);
if (!context->LoadCompleted)
{
DestroyWindow(context->WindowHandle);
return;
}
if (SelectOffset != -1)
PostMessage(context->WindowHandle, WM_PH_SELECT_OFFSET, SelectOffset, SelectLength);
PhRegisterDialog(context->WindowHandle);
PhAddElementAvlTree(&PhMemoryEditorSet, &context->Links);
ShowWindow(context->WindowHandle, SW_SHOW);
}
else
{
context = CONTAINING_RECORD(links, MEMORY_EDITOR_CONTEXT, Links);
if (IsIconic(context->WindowHandle))
ShowWindow(context->WindowHandle, SW_RESTORE);
else
SetForegroundWindow(context->WindowHandle);
if (SelectOffset != -1)
PostMessage(context->WindowHandle, WM_PH_SELECT_OFFSET, SelectOffset, SelectLength);
// Just in case.
if ((Flags & PH_MEMORY_EDITOR_UNMAP_VIEW_OF_SECTION) && ProcessId == NtCurrentProcessId())
NtUnmapViewOfSection(NtCurrentProcess(), BaseAddress);
}
}
INT_PTR CALLBACK PhpServiceGeneralDlgProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
switch (uMsg)
{
case WM_INITDIALOG:
{
LPPROPSHEETPAGE propSheetPage = (LPPROPSHEETPAGE)lParam;
PSERVICE_PROPERTIES_CONTEXT context = (PSERVICE_PROPERTIES_CONTEXT)propSheetPage->lParam;
PPH_SERVICE_ITEM serviceItem = context->ServiceItem;
SC_HANDLE serviceHandle;
ULONG startType;
ULONG errorControl;
PPH_STRING serviceDll;
// HACK
PhCenterWindow(GetParent(hwndDlg), GetParent(GetParent(hwndDlg)));
SetProp(hwndDlg, PhMakeContextAtom(), (HANDLE)context);
PhAddComboBoxStrings(GetDlgItem(hwndDlg, IDC_TYPE), PhServiceTypeStrings,
sizeof(PhServiceTypeStrings) / sizeof(WCHAR *));
PhAddComboBoxStrings(GetDlgItem(hwndDlg, IDC_STARTTYPE), PhServiceStartTypeStrings,
sizeof(PhServiceStartTypeStrings) / sizeof(WCHAR *));
PhAddComboBoxStrings(GetDlgItem(hwndDlg, IDC_ERRORCONTROL), PhServiceErrorControlStrings,
sizeof(PhServiceErrorControlStrings) / sizeof(WCHAR *));
SetDlgItemText(hwndDlg, IDC_DESCRIPTION, serviceItem->DisplayName->Buffer);
PhSelectComboBoxString(GetDlgItem(hwndDlg, IDC_TYPE),
PhGetServiceTypeString(serviceItem->Type), FALSE);
startType = serviceItem->StartType;
errorControl = serviceItem->ErrorControl;
serviceHandle = PhOpenService(serviceItem->Name->Buffer, SERVICE_QUERY_CONFIG);
if (serviceHandle)
{
LPQUERY_SERVICE_CONFIG config;
PPH_STRING description;
BOOLEAN delayedStart;
if (config = PhGetServiceConfig(serviceHandle))
{
SetDlgItemText(hwndDlg, IDC_GROUP, config->lpLoadOrderGroup);
SetDlgItemText(hwndDlg, IDC_BINARYPATH, config->lpBinaryPathName);
SetDlgItemText(hwndDlg, IDC_USERACCOUNT, config->lpServiceStartName);
if (startType != config->dwStartType || errorControl != config->dwErrorControl)
{
startType = config->dwStartType;
errorControl = config->dwErrorControl;
PhMarkNeedsConfigUpdateServiceItem(serviceItem);
}
PhFree(config);
}
if (description = PhGetServiceDescription(serviceHandle))
{
SetDlgItemText(hwndDlg, IDC_DESCRIPTION, description->Buffer);
PhDereferenceObject(description);
}
if (
WindowsVersion >= WINDOWS_VISTA &&
PhGetServiceDelayedAutoStart(serviceHandle, &delayedStart)
)
{
context->OldDelayedStart = delayedStart;
if (delayedStart)
Button_SetCheck(GetDlgItem(hwndDlg, IDC_DELAYEDSTART), BST_CHECKED);
}
CloseServiceHandle(serviceHandle);
}
PhSelectComboBoxString(GetDlgItem(hwndDlg, IDC_STARTTYPE),
PhGetServiceStartTypeString(startType), FALSE);
PhSelectComboBoxString(GetDlgItem(hwndDlg, IDC_ERRORCONTROL),
PhGetServiceErrorControlString(errorControl), FALSE);
SetDlgItemText(hwndDlg, IDC_PASSWORD, L"password");
Button_SetCheck(GetDlgItem(hwndDlg, IDC_PASSWORDCHECK), BST_UNCHECKED);
if (NT_SUCCESS(PhGetServiceDllParameter(&serviceItem->Name->sr, &serviceDll)))
{
SetDlgItemText(hwndDlg, IDC_SERVICEDLL, serviceDll->Buffer);
PhDereferenceObject(serviceDll);
}
else
{
SetDlgItemText(hwndDlg, IDC_SERVICEDLL, L"N/A");
}
PhpRefreshControls(hwndDlg);
context->Ready = TRUE;
}
break;
case WM_DESTROY:
{
RemoveProp(hwndDlg, PhMakeContextAtom());
}
break;
case WM_COMMAND:
{
PSERVICE_PROPERTIES_CONTEXT context =
(PSERVICE_PROPERTIES_CONTEXT)GetProp(hwndDlg, PhMakeContextAtom());
switch (LOWORD(wParam))
{
case IDCANCEL:
{
// Workaround for property sheet + multiline edit: http://support.microsoft.com/kb/130765
SendMessage(GetParent(hwndDlg), uMsg, wParam, lParam);
}
break;
case IDC_PASSWORD:
{
if (HIWORD(wParam) == EN_CHANGE)
{
Button_SetCheck(GetDlgItem(hwndDlg, IDC_PASSWORDCHECK), BST_CHECKED);
}
}
break;
case IDC_DELAYEDSTART:
{
context->Dirty = TRUE;
}
break;
case IDC_BROWSE:
{
static PH_FILETYPE_FILTER filters[] =
{
{ L"Executable files (*.exe;*.sys)", L"*.exe;*.sys" },
{ L"All files (*.*)", L"*.*" }
};
PVOID fileDialog;
PPH_STRING commandLine;
PPH_STRING fileName;
fileDialog = PhCreateOpenFileDialog();
PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER));
commandLine = PhaGetDlgItemText(hwndDlg, IDC_BINARYPATH);
if (context->ServiceItem->Type & SERVICE_WIN32)
{
PH_STRINGREF dummyFileName;
PH_STRINGREF dummyArguments;
if (!PhParseCommandLineFuzzy(&commandLine->sr, &dummyFileName, &dummyArguments, &fileName))
fileName = NULL;
if (!fileName)
PhSwapReference(&fileName, commandLine);
}
else
{
fileName = PhGetFileName(commandLine);
}
PhSetFileDialogFileName(fileDialog, fileName->Buffer);
PhDereferenceObject(fileName);
if (PhShowFileDialog(hwndDlg, fileDialog))
{
fileName = PhGetFileDialogFileName(fileDialog);
SetDlgItemText(hwndDlg, IDC_BINARYPATH, fileName->Buffer);
PhDereferenceObject(fileName);
}
PhFreeFileDialog(fileDialog);
}
break;
}
switch (HIWORD(wParam))
{
case EN_CHANGE:
case CBN_SELCHANGE:
{
PhpRefreshControls(hwndDlg);
if (context->Ready)
context->Dirty = TRUE;
}
break;
}
}
break;
case WM_NOTIFY:
{
LPNMHDR header = (LPNMHDR)lParam;
switch (header->code)
{
case PSN_QUERYINITIALFOCUS:
{
SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LONG_PTR)GetDlgItem(hwndDlg, IDC_STARTTYPE));
}
return TRUE;
case PSN_KILLACTIVE:
{
SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, FALSE);
}
return TRUE;
case PSN_APPLY:
{
NTSTATUS status;
PSERVICE_PROPERTIES_CONTEXT context =
(PSERVICE_PROPERTIES_CONTEXT)GetProp(hwndDlg, PhMakeContextAtom());
PPH_SERVICE_ITEM serviceItem = context->ServiceItem;
SC_HANDLE serviceHandle;
PPH_STRING newServiceTypeString;
PPH_STRING newServiceStartTypeString;
PPH_STRING newServiceErrorControlString;
ULONG newServiceType;
ULONG newServiceStartType;
ULONG newServiceErrorControl;
PPH_STRING newServiceGroup;
PPH_STRING newServiceBinaryPath;
PPH_STRING newServiceUserAccount;
PPH_STRING newServicePassword;
SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, PSNRET_NOERROR);
if (!context->Dirty)
{
return TRUE;
}
newServiceTypeString = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_TYPE)));
newServiceStartTypeString = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_STARTTYPE)));
newServiceErrorControlString = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_ERRORCONTROL)));
newServiceType = PhGetServiceTypeInteger(newServiceTypeString->Buffer);
newServiceStartType = PhGetServiceStartTypeInteger(newServiceStartTypeString->Buffer);
newServiceErrorControl = PhGetServiceErrorControlInteger(newServiceErrorControlString->Buffer);
newServiceGroup = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_GROUP)));
newServiceBinaryPath = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_BINARYPATH)));
newServiceUserAccount = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_USERACCOUNT)));
if (Button_GetCheck(GetDlgItem(hwndDlg, IDC_PASSWORDCHECK)) == BST_CHECKED)
{
newServicePassword = PhGetWindowText(GetDlgItem(hwndDlg, IDC_PASSWORD));
}
else
{
newServicePassword = NULL;
}
if (newServiceType == SERVICE_KERNEL_DRIVER && newServiceUserAccount->Length == 0)
{
newServiceUserAccount = NULL;
}
serviceHandle = PhOpenService(serviceItem->Name->Buffer, SERVICE_CHANGE_CONFIG);
if (serviceHandle)
{
if (ChangeServiceConfig(
serviceHandle,
newServiceType,
newServiceStartType,
newServiceErrorControl,
newServiceBinaryPath->Buffer,
newServiceGroup->Buffer,
NULL,
NULL,
PhGetString(newServiceUserAccount),
PhGetString(newServicePassword),
NULL
))
{
if (WindowsVersion >= WINDOWS_VISTA)
{
BOOLEAN newDelayedStart;
newDelayedStart = Button_GetCheck(GetDlgItem(hwndDlg, IDC_DELAYEDSTART)) == BST_CHECKED;
if (newDelayedStart != context->OldDelayedStart)
{
PhSetServiceDelayedAutoStart(serviceHandle, newDelayedStart);
}
}
PhMarkNeedsConfigUpdateServiceItem(serviceItem);
CloseServiceHandle(serviceHandle);
}
else
{
CloseServiceHandle(serviceHandle);
goto ErrorCase;
}
}
else
{
if (GetLastError() == ERROR_ACCESS_DENIED && !PhGetOwnTokenAttributes().Elevated)
{
// Elevate using phsvc.
if (PhUiConnectToPhSvc(hwndDlg, FALSE))
{
if (NT_SUCCESS(status = PhSvcCallChangeServiceConfig(
serviceItem->Name->Buffer,
newServiceType,
newServiceStartType,
newServiceErrorControl,
newServiceBinaryPath->Buffer,
newServiceGroup->Buffer,
NULL,
NULL,
PhGetString(newServiceUserAccount),
PhGetString(newServicePassword),
NULL
)))
{
if (WindowsVersion >= WINDOWS_VISTA)
{
BOOLEAN newDelayedStart;
newDelayedStart = Button_GetCheck(GetDlgItem(hwndDlg, IDC_DELAYEDSTART)) == BST_CHECKED;
if (newDelayedStart != context->OldDelayedStart)
{
SERVICE_DELAYED_AUTO_START_INFO info;
info.fDelayedAutostart = newDelayedStart;
PhSvcCallChangeServiceConfig2(
serviceItem->Name->Buffer,
SERVICE_CONFIG_DELAYED_AUTO_START_INFO,
&info
);
}
}
PhMarkNeedsConfigUpdateServiceItem(serviceItem);
}
PhUiDisconnectFromPhSvc();
if (!NT_SUCCESS(status))
{
SetLastError(PhNtStatusToDosError(status));
goto ErrorCase;
}
}
else
{
// User cancelled elevation.
SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, PSNRET_INVALID);
}
}
else
{
goto ErrorCase;
}
}
goto Cleanup;
ErrorCase:
if (PhShowMessage(
hwndDlg,
MB_ICONERROR | MB_RETRYCANCEL,
L"Unable to change service configuration: %s",
PH_AUTO_T(PH_STRING, PhGetWin32Message(GetLastError()))->Buffer
) == IDRETRY)
{
SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, PSNRET_INVALID);
}
Cleanup:
if (newServicePassword)
{
RtlSecureZeroMemory(newServicePassword->Buffer, newServicePassword->Length);
PhDereferenceObject(newServicePassword);
}
}
return TRUE;
}
}
break;
}
return FALSE;
}
VOID PhpThreadProviderUpdate(
__in PPH_THREAD_PROVIDER ThreadProvider,
__in PVOID ProcessInformation
)
{
PPH_THREAD_PROVIDER threadProvider = ThreadProvider;
PSYSTEM_PROCESS_INFORMATION process;
SYSTEM_PROCESS_INFORMATION localProcess;
PSYSTEM_THREAD_INFORMATION threads;
ULONG numberOfThreads;
ULONG i;
process = PhFindProcessInformation(ProcessInformation, threadProvider->ProcessId);
if (!process)
{
// The process doesn't exist anymore. Pretend it does but
// has no threads.
process = &localProcess;
process->NumberOfThreads = 0;
}
threads = process->Threads;
numberOfThreads = process->NumberOfThreads;
// System Idle Process has one thread per CPU.
// They all have a TID of 0, but we can't have
// multiple TIDs, so we'll assign unique TIDs.
if (threadProvider->ProcessId == SYSTEM_IDLE_PROCESS_ID)
{
for (i = 0; i < numberOfThreads; i++)
{
threads[i].ClientId.UniqueThread = (HANDLE)i;
}
}
// Look for dead threads.
{
PPH_LIST threadsToRemove = NULL;
ULONG enumerationKey = 0;
PPH_THREAD_ITEM *threadItem;
while (PhEnumHashtable(threadProvider->ThreadHashtable, (PPVOID)&threadItem, &enumerationKey))
{
BOOLEAN found = FALSE;
// Check if the thread still exists.
for (i = 0; i < numberOfThreads; i++)
{
PSYSTEM_THREAD_INFORMATION thread = &threads[i];
if ((*threadItem)->ThreadId == thread->ClientId.UniqueThread)
{
found = TRUE;
break;
}
}
if (!found)
{
// Raise the thread removed event.
PhInvokeCallback(&threadProvider->ThreadRemovedEvent, *threadItem);
if (!threadsToRemove)
threadsToRemove = PhCreateList(2);
PhAddItemList(threadsToRemove, *threadItem);
}
}
if (threadsToRemove)
{
PhAcquireFastLockExclusive(&threadProvider->ThreadHashtableLock);
for (i = 0; i < threadsToRemove->Count; i++)
{
PhpRemoveThreadItem(
threadProvider,
(PPH_THREAD_ITEM)threadsToRemove->Items[i]
);
}
PhReleaseFastLockExclusive(&threadProvider->ThreadHashtableLock);
PhDereferenceObject(threadsToRemove);
}
}
// Go through the queued thread query data.
{
PSLIST_ENTRY entry;
PPH_THREAD_QUERY_DATA data;
entry = RtlInterlockedFlushSList(&threadProvider->QueryListHead);
while (entry)
{
data = CONTAINING_RECORD(entry, PH_THREAD_QUERY_DATA, ListEntry);
entry = entry->Next;
if (data->StartAddressResolveLevel == PhsrlFunction && data->StartAddressString)
{
PhSwapReference(&data->ThreadItem->StartAddressString, data->StartAddressString);
data->ThreadItem->StartAddressResolveLevel = data->StartAddressResolveLevel;
}
PhSwapReference2(&data->ThreadItem->ServiceName, data->ServiceName);
data->ThreadItem->JustResolved = TRUE;
if (data->StartAddressString) PhDereferenceObject(data->StartAddressString);
PhDereferenceObject(data->ThreadItem);
PhFree(data);
}
}
// Look for new threads and update existing ones.
for (i = 0; i < numberOfThreads; i++)
{
PSYSTEM_THREAD_INFORMATION thread = &threads[i];
PPH_THREAD_ITEM threadItem;
threadItem = PhReferenceThreadItem(threadProvider, thread->ClientId.UniqueThread);
if (!threadItem)
{
ULONG64 cycles;
PVOID startAddress = NULL;
threadItem = PhCreateThreadItem(thread->ClientId.UniqueThread);
threadItem->CreateTime = thread->CreateTime;
threadItem->KernelTime = thread->KernelTime;
threadItem->UserTime = thread->UserTime;
PhUpdateDelta(&threadItem->ContextSwitchesDelta, thread->ContextSwitches);
threadItem->Priority = thread->Priority;
threadItem->BasePriority = thread->BasePriority;
threadItem->State = (KTHREAD_STATE)thread->ThreadState;
threadItem->WaitReason = thread->WaitReason;
// Try to open a handle to the thread.
if (!NT_SUCCESS(PhOpenThread(
&threadItem->ThreadHandle,
THREAD_QUERY_INFORMATION,
threadItem->ThreadId
)))
{
PhOpenThread(
&threadItem->ThreadHandle,
ThreadQueryAccess,
threadItem->ThreadId
);
}
// Get the cycle count.
if (NT_SUCCESS(PhpGetThreadCycleTime(
threadProvider,
threadItem,
&cycles
)))
{
PhUpdateDelta(&threadItem->CyclesDelta, cycles);
}
// Initialize the CPU time deltas.
PhUpdateDelta(&threadItem->CpuKernelDelta, threadItem->KernelTime.QuadPart);
PhUpdateDelta(&threadItem->CpuUserDelta, threadItem->UserTime.QuadPart);
// Try to get the start address.
if (threadItem->ThreadHandle)
{
NtQueryInformationThread(
threadItem->ThreadHandle,
ThreadQuerySetWin32StartAddress,
&startAddress,
sizeof(PVOID),
NULL
);
}
if (!startAddress)
startAddress = thread->StartAddress;
threadItem->StartAddress = (ULONG64)startAddress;
// Get the Win32 priority.
threadItem->PriorityWin32 = GetThreadPriority(threadItem->ThreadHandle);
if (PhTestEvent(&threadProvider->SymbolsLoadedEvent))
{
threadItem->StartAddressString = PhpGetThreadBasicStartAddress(
threadProvider,
threadItem->StartAddress,
&threadItem->StartAddressResolveLevel
);
}
if (!threadItem->StartAddressString)
{
threadItem->StartAddressResolveLevel = PhsrlAddress;
threadItem->StartAddressString = PhCreateStringEx(NULL, PH_PTR_STR_LEN * 2);
PhPrintPointer(
threadItem->StartAddressString->Buffer,
(PVOID)threadItem->StartAddress
);
PhTrimToNullTerminatorString(threadItem->StartAddressString);
}
PhpQueueThreadQuery(threadProvider, threadItem);
// Is it a GUI thread?
if (threadItem->ThreadHandle && KphIsConnected())
{
PVOID win32Thread;
if (NT_SUCCESS(KphQueryInformationThread(
threadItem->ThreadHandle,
KphThreadWin32Thread,
&win32Thread,
sizeof(PVOID),
NULL
)))
{
threadItem->IsGuiThread = win32Thread != NULL;
}
}
// Add the thread item to the hashtable.
PhAcquireFastLockExclusive(&threadProvider->ThreadHashtableLock);
PhAddEntryHashtable(threadProvider->ThreadHashtable, &threadItem);
PhReleaseFastLockExclusive(&threadProvider->ThreadHashtableLock);
// Raise the thread added event.
PhInvokeCallback(&threadProvider->ThreadAddedEvent, threadItem);
}
else
{
BOOLEAN modified = FALSE;
if (threadItem->JustResolved)
modified = TRUE;
threadItem->KernelTime = thread->KernelTime;
threadItem->UserTime = thread->UserTime;
threadItem->Priority = thread->Priority;
threadItem->BasePriority = thread->BasePriority;
threadItem->State = (KTHREAD_STATE)thread->ThreadState;
if (threadItem->WaitReason != thread->WaitReason)
{
threadItem->WaitReason = thread->WaitReason;
modified = TRUE;
}
// If the resolve level is only at address, it probably
// means symbols weren't loaded the last time we
// tried to get the start address. Try again.
if (threadItem->StartAddressResolveLevel == PhsrlAddress)
{
if (PhTestEvent(&threadProvider->SymbolsLoadedEvent))
{
PPH_STRING newStartAddressString;
newStartAddressString = PhpGetThreadBasicStartAddress(
threadProvider,
threadItem->StartAddress,
&threadItem->StartAddressResolveLevel
);
PhSwapReference2(
&threadItem->StartAddressString,
newStartAddressString
);
modified = TRUE;
}
}
// If we couldn't resolve the start address to a
// module+offset, use the StartAddress instead
// of the Win32StartAddress and try again.
// Note that we check the resolve level again
// because we may have changed it in the previous
// block.
if (
threadItem->JustResolved &&
threadItem->StartAddressResolveLevel == PhsrlAddress
)
{
if (threadItem->StartAddress != (ULONG64)thread->StartAddress)
{
threadItem->StartAddress = (ULONG64)thread->StartAddress;
PhpQueueThreadQuery(threadProvider, threadItem);
}
}
// Update the context switch count.
{
ULONG oldDelta;
oldDelta = threadItem->ContextSwitchesDelta.Delta;
PhUpdateDelta(&threadItem->ContextSwitchesDelta, thread->ContextSwitches);
if (threadItem->ContextSwitchesDelta.Delta != oldDelta)
{
modified = TRUE;
}
}
// Update the cycle count.
{
ULONG64 cycles;
ULONG64 oldDelta;
oldDelta = threadItem->CyclesDelta.Delta;
if (NT_SUCCESS(PhpGetThreadCycleTime(
threadProvider,
threadItem,
&cycles
)))
{
PhUpdateDelta(&threadItem->CyclesDelta, cycles);
if (threadItem->CyclesDelta.Delta != oldDelta)
{
modified = TRUE;
}
}
}
// Update the CPU time deltas.
PhUpdateDelta(&threadItem->CpuKernelDelta, threadItem->KernelTime.QuadPart);
PhUpdateDelta(&threadItem->CpuUserDelta, threadItem->UserTime.QuadPart);
// Update the CPU usage.
// If the cycle time isn't available, we'll fall back to using the CPU time.
if (PhEnableCycleCpuUsage && (threadProvider->ProcessId == SYSTEM_IDLE_PROCESS_ID || threadItem->ThreadHandle))
{
threadItem->CpuUsage = (FLOAT)threadItem->CyclesDelta.Delta / PhCpuTotalCycleDelta;
}
else
{
threadItem->CpuUsage = (FLOAT)(threadItem->CpuKernelDelta.Delta + threadItem->CpuUserDelta.Delta) /
(PhCpuKernelDelta.Delta + PhCpuUserDelta.Delta + PhCpuIdleDelta.Delta);
}
// Update the Win32 priority.
{
LONG oldPriorityWin32 = threadItem->PriorityWin32;
threadItem->PriorityWin32 = GetThreadPriority(threadItem->ThreadHandle);
if (threadItem->PriorityWin32 != oldPriorityWin32)
{
modified = TRUE;
}
}
// Update the GUI thread status.
if (threadItem->ThreadHandle && KphIsConnected())
{
PVOID win32Thread;
if (NT_SUCCESS(KphQueryInformationThread(
threadItem->ThreadHandle,
KphThreadWin32Thread,
&win32Thread,
sizeof(PVOID),
NULL
)))
{
BOOLEAN oldIsGuiThread = threadItem->IsGuiThread;
threadItem->IsGuiThread = win32Thread != NULL;
if (threadItem->IsGuiThread != oldIsGuiThread)
modified = TRUE;
}
}
threadItem->JustResolved = FALSE;
if (modified)
{
// Raise the thread modified event.
PhInvokeCallback(&threadProvider->ThreadModifiedEvent, threadItem);
}
PhDereferenceObject(threadItem);
}
}
PhInvokeCallback(&threadProvider->UpdatedEvent, NULL);
threadProvider->RunId++;
}
INT_PTR CALLBACK WepWindowsPageProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
PWINDOWS_CONTEXT context;
LPPROPSHEETPAGE propSheetPage;
PPH_PROCESS_PROPPAGECONTEXT propPageContext;
PPH_PROCESS_ITEM processItem;
if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext, &processItem))
{
context = propPageContext->Context;
}
else
{
return FALSE;
}
switch (uMsg)
{
case WM_INITDIALOG:
{
context->TreeNewHandle = GetDlgItem(hwndDlg, IDC_LIST);
context->SearchBoxHandle = GetDlgItem(hwndDlg, IDC_SEARCHEDIT);
PhCreateSearchControl(hwndDlg, context->SearchBoxHandle, L"Search Windows (Ctrl+K)");
WeInitializeWindowTree(hwndDlg, context->TreeNewHandle, &context->TreeContext);
PhRegisterDialog(hwndDlg);
PhInitializeLayoutManager(&context->LayoutManager, hwndDlg);
PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_SEARCHEDIT), NULL, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT);
PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_LIST), NULL, PH_ANCHOR_ALL);
WepRefreshWindows(context);
}
break;
case WM_SHOWWINDOW:
{
if (PhBeginPropPageLayout(hwndDlg, propPageContext))
PhEndPropPageLayout(hwndDlg, propPageContext);
}
break;
case WM_DESTROY:
{
PhDeleteLayoutManager(&context->LayoutManager);
PhUnregisterDialog(hwndDlg);
WeDeleteWindowTree(&context->TreeContext);
WepDeleteWindowSelector(&context->Selector);
PhFree(context);
}
break;
case WM_COMMAND:
{
switch (GET_WM_COMMAND_CMD(wParam, lParam))
{
case EN_CHANGE:
{
PPH_STRING newSearchboxText;
if (GET_WM_COMMAND_HWND(wParam, lParam) != context->SearchBoxHandle)
break;
newSearchboxText = PH_AUTO(PhGetWindowText(context->SearchBoxHandle));
if (!PhEqualString(context->TreeContext.SearchboxText, newSearchboxText, FALSE))
{
PhSwapReference(&context->TreeContext.SearchboxText, newSearchboxText);
if (!PhIsNullOrEmptyString(context->TreeContext.SearchboxText))
WeExpandAllWindowNodes(&context->TreeContext, TRUE);
PhApplyTreeNewFilters(&context->TreeContext.FilterSupport);
TreeNew_NodesStructured(context->TreeNewHandle);
// PhInvokeCallback(&SearchChangedEvent, SearchboxText);
}
}
break;
}
switch (GET_WM_COMMAND_ID(wParam, lParam))
{
case IDC_REFRESH:
WepRefreshWindows(context);
break;
case ID_SHOWCONTEXTMENU:
{
PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam;
PWE_WINDOW_NODE *windows;
ULONG numberOfWindows;
PPH_EMENU menu;
PPH_EMENU selectedItem;
WeGetSelectedWindowNodes(
&context->TreeContext,
&windows,
&numberOfWindows
);
if (numberOfWindows != 0)
{
menu = PhCreateEMenu();
PhLoadResourceEMenuItem(menu, PluginInstance->DllBase, MAKEINTRESOURCE(IDR_WINDOW), 0);
PhInsertCopyCellEMenuItem(menu, ID_WINDOW_COPY, context->TreeNewHandle, contextMenuEvent->Column);
PhSetFlagsEMenuItem(menu, ID_WINDOW_PROPERTIES, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT);
if (numberOfWindows == 1)
{
WINDOWPLACEMENT placement = { sizeof(placement) };
BYTE alpha;
ULONG flags;
ULONG i;
ULONG id;
// State
GetWindowPlacement(windows[0]->WindowHandle, &placement);
if (placement.showCmd == SW_MINIMIZE)
PhSetFlagsEMenuItem(menu, ID_WINDOW_MINIMIZE, PH_EMENU_DISABLED, PH_EMENU_DISABLED);
else if (placement.showCmd == SW_MAXIMIZE)
PhSetFlagsEMenuItem(menu, ID_WINDOW_MAXIMIZE, PH_EMENU_DISABLED, PH_EMENU_DISABLED);
else if (placement.showCmd == SW_NORMAL)
PhSetFlagsEMenuItem(menu, ID_WINDOW_RESTORE, PH_EMENU_DISABLED, PH_EMENU_DISABLED);
// Visible
PhSetFlagsEMenuItem(menu, ID_WINDOW_VISIBLE, PH_EMENU_CHECKED,
(GetWindowLong(windows[0]->WindowHandle, GWL_STYLE) & WS_VISIBLE) ? PH_EMENU_CHECKED : 0);
// Enabled
PhSetFlagsEMenuItem(menu, ID_WINDOW_ENABLED, PH_EMENU_CHECKED,
!(GetWindowLong(windows[0]->WindowHandle, GWL_STYLE) & WS_DISABLED) ? PH_EMENU_CHECKED : 0);
// Always on Top
PhSetFlagsEMenuItem(menu, ID_WINDOW_ALWAYSONTOP, PH_EMENU_CHECKED,
(GetWindowLong(windows[0]->WindowHandle, GWL_EXSTYLE) & WS_EX_TOPMOST) ? PH_EMENU_CHECKED : 0);
// Opacity
if (GetLayeredWindowAttributes(windows[0]->WindowHandle, NULL, &alpha, &flags))
{
if (!(flags & LWA_ALPHA))
alpha = 255;
}
else
{
alpha = 255;
}
if (alpha == 255)
{
id = ID_OPACITY_OPAQUE;
}
else
{
id = 0;
// Due to integer division, we cannot use simple arithmetic to calculate which menu item to check.
for (i = 0; i < 10; i++)
{
if (alpha == (BYTE)(255 * (i + 1) / 10))
{
id = ID_OPACITY_10 + i;
break;
}
}
}
if (id != 0)
{
PhSetFlagsEMenuItem(menu, id, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK,
PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK);
}
}
else
{
PhSetFlagsAllEMenuItems(menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED);
PhSetFlagsEMenuItem(menu, ID_WINDOW_COPY, PH_EMENU_DISABLED, 0);
}
selectedItem = PhShowEMenu(
menu,
hwndDlg,
PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT,
PH_ALIGN_LEFT | PH_ALIGN_TOP,
contextMenuEvent->Location.x,
contextMenuEvent->Location.y
);
if (selectedItem && selectedItem->Id != -1)
{
BOOLEAN handled = FALSE;
handled = PhHandleCopyCellEMenuItem(selectedItem);
}
PhDestroyEMenu(menu);
}
}
break;
case ID_WINDOW_BRINGTOFRONT:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
WINDOWPLACEMENT placement = { sizeof(placement) };
GetWindowPlacement(selectedNode->WindowHandle, &placement);
if (placement.showCmd == SW_MINIMIZE)
ShowWindowAsync(selectedNode->WindowHandle, SW_RESTORE);
else
SetForegroundWindow(selectedNode->WindowHandle);
}
}
break;
case ID_WINDOW_RESTORE:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
ShowWindowAsync(selectedNode->WindowHandle, SW_RESTORE);
}
}
break;
case ID_WINDOW_MINIMIZE:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
ShowWindowAsync(selectedNode->WindowHandle, SW_MINIMIZE);
}
}
break;
case ID_WINDOW_MAXIMIZE:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
ShowWindowAsync(selectedNode->WindowHandle, SW_MAXIMIZE);
}
}
break;
case ID_WINDOW_CLOSE:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
PostMessage(selectedNode->WindowHandle, WM_CLOSE, 0, 0);
}
}
break;
case ID_WINDOW_VISIBLE:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
if (IsWindowVisible(selectedNode->WindowHandle))
{
selectedNode->WindowVisible = FALSE;
ShowWindowAsync(selectedNode->WindowHandle, SW_HIDE);
}
else
{
selectedNode->WindowVisible = TRUE;
ShowWindowAsync(selectedNode->WindowHandle, SW_SHOW);
}
PhInvalidateTreeNewNode(&selectedNode->Node, TN_CACHE_COLOR);
TreeNew_InvalidateNode(context->TreeNewHandle, &selectedNode->Node);
}
}
break;
case ID_WINDOW_ENABLED:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
EnableWindow(selectedNode->WindowHandle, !IsWindowEnabled(selectedNode->WindowHandle));
}
}
break;
case ID_WINDOW_ALWAYSONTOP:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
LOGICAL topMost;
topMost = GetWindowLong(selectedNode->WindowHandle, GWL_EXSTYLE) & WS_EX_TOPMOST;
SetWindowPos(selectedNode->WindowHandle, topMost ? HWND_NOTOPMOST : HWND_TOPMOST,
0, 0, 0, 0, SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOSIZE);
}
}
break;
case ID_OPACITY_10:
case ID_OPACITY_20:
case ID_OPACITY_30:
case ID_OPACITY_40:
case ID_OPACITY_50:
case ID_OPACITY_60:
case ID_OPACITY_70:
case ID_OPACITY_80:
case ID_OPACITY_90:
case ID_OPACITY_OPAQUE:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
ULONG opacity;
opacity = ((ULONG)LOWORD(wParam) - ID_OPACITY_10) + 1;
if (opacity == 10)
{
// Remove the WS_EX_LAYERED bit since it is not needed.
PhSetWindowExStyle(selectedNode->WindowHandle, WS_EX_LAYERED, 0);
RedrawWindow(selectedNode->WindowHandle, NULL, NULL, RDW_ERASE | RDW_INVALIDATE | RDW_FRAME | RDW_ALLCHILDREN);
}
else
{
// Add the WS_EX_LAYERED bit so opacity will work.
PhSetWindowExStyle(selectedNode->WindowHandle, WS_EX_LAYERED, WS_EX_LAYERED);
SetLayeredWindowAttributes(selectedNode->WindowHandle, 0, (BYTE)(255 * opacity / 10), LWA_ALPHA);
}
}
}
break;
case ID_WINDOW_HIGHLIGHT:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
if (context->HighlightingWindow)
{
if (context->HighlightingWindowCount & 1)
WeInvertWindowBorder(context->HighlightingWindow);
}
context->HighlightingWindow = selectedNode->WindowHandle;
context->HighlightingWindowCount = 10;
SetTimer(hwndDlg, 9, 100, NULL);
}
}
break;
case ID_WINDOW_GOTOTHREAD:
{
PWE_WINDOW_NODE selectedNode;
PPH_PROCESS_ITEM processItem;
PPH_PROCESS_PROPCONTEXT propContext;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
{
if (processItem = PhReferenceProcessItem(selectedNode->ClientId.UniqueProcess))
{
if (propContext = PhCreateProcessPropContext(WE_PhMainWndHandle, processItem))
{
PhSetSelectThreadIdProcessPropContext(propContext, selectedNode->ClientId.UniqueThread);
PhShowProcessProperties(propContext);
PhDereferenceObject(propContext);
}
PhDereferenceObject(processItem);
}
else
{
PhShowError(hwndDlg, L"The process does not exist.");
}
}
}
break;
case ID_WINDOW_PROPERTIES:
{
PWE_WINDOW_NODE selectedNode;
if (selectedNode = WeGetSelectedWindowNode(&context->TreeContext))
WeShowWindowProperties(hwndDlg, selectedNode->WindowHandle);
}
break;
case ID_WINDOW_COPY:
{
PPH_STRING text;
text = PhGetTreeNewText(context->TreeNewHandle, 0);
PhSetClipboardString(hwndDlg, &text->sr);
PhDereferenceObject(text);
}
break;
}
}
break;
case WM_TIMER:
{
switch (wParam)
{
case 9:
{
WeInvertWindowBorder(context->HighlightingWindow);
if (--context->HighlightingWindowCount == 0)
KillTimer(hwndDlg, 9);
}
break;
}
}
break;
case WM_SIZE:
PhLayoutManagerLayout(&context->LayoutManager);
break;
case WM_NOTIFY:
{
LPNMHDR header = (LPNMHDR)lParam;
switch (header->code)
{
case PSN_QUERYINITIALFOCUS:
SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LPARAM)GetDlgItem(hwndDlg, IDC_REFRESH));
return TRUE;
}
}
break;
}
return FALSE;
}
VOID PhShowThreadStackDialog(
_In_ HWND ParentWindowHandle,
_In_ HANDLE ProcessId,
_In_ HANDLE ThreadId,
_In_ PPH_SYMBOL_PROVIDER SymbolProvider
)
{
NTSTATUS status;
THREAD_STACK_CONTEXT threadStackContext;
HANDLE threadHandle = NULL;
// If the user is trying to view a system thread stack
// but KProcessHacker is not loaded, show an error message.
if (ProcessId == SYSTEM_PROCESS_ID && !KphIsConnected())
{
PhShowError(ParentWindowHandle, KPH_ERROR_MESSAGE);
return;
}
memset(&threadStackContext, 0, sizeof(THREAD_STACK_CONTEXT));
threadStackContext.ProcessId = ProcessId;
threadStackContext.ThreadId = ThreadId;
threadStackContext.SymbolProvider = SymbolProvider;
if (!NT_SUCCESS(status = PhOpenThread(
&threadHandle,
THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME,
ThreadId
)))
{
if (KphIsConnected())
{
status = PhOpenThread(
&threadHandle,
ThreadQueryAccess,
ThreadId
);
}
}
if (!NT_SUCCESS(status))
{
PhShowStatus(ParentWindowHandle, L"Unable to open the thread", status, 0);
return;
}
threadStackContext.ThreadHandle = threadHandle;
threadStackContext.List = PhCreateList(10);
threadStackContext.NewList = PhCreateList(10);
PhInitializeQueuedLock(&threadStackContext.StatusLock);
DialogBoxParam(
PhInstanceHandle,
MAKEINTRESOURCE(IDD_THRDSTACK),
ParentWindowHandle,
PhpThreadStackDlgProc,
(LPARAM)&threadStackContext
);
PhSwapReference(&threadStackContext.StatusMessage, NULL);
PhDereferenceObject(threadStackContext.NewList);
PhDereferenceObject(threadStackContext.List);
if (threadStackContext.ThreadHandle)
NtClose(threadStackContext.ThreadHandle);
}
// NOTE: This function does not use the SCM due to major performance issues.
// For now just query this information from the registry but it might be out-of-sync
// with any recent services changes until the SCM flushes its cache.
NTSTATUS QueryServiceFileName(
_In_ PPH_STRINGREF ServiceName,
_Out_ PPH_STRING *ServiceFileName,
_Out_ PPH_STRING *ServiceBinaryPath
)
{
static PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Services\\");
static PH_STRINGREF typeKeyName = PH_STRINGREF_INIT(L"Type");
NTSTATUS status;
HANDLE keyHandle;
ULONG serviceType = 0;
PPH_STRING keyName;
PPH_STRING binaryPath;
PPH_STRING fileName;
keyName = PhConcatStringRef2(&servicesKeyName, ServiceName);
binaryPath = NULL;
fileName = NULL;
if (NT_SUCCESS(status = PhOpenKey(
&keyHandle,
KEY_READ,
PH_KEY_LOCAL_MACHINE,
&keyName->sr,
0
)))
{
PPH_STRING serviceImagePath;
PKEY_VALUE_PARTIAL_INFORMATION buffer;
if (NT_SUCCESS(status = PhQueryValueKey(
keyHandle,
&typeKeyName,
KeyValuePartialInformation,
&buffer
)))
{
if (
buffer->Type == REG_DWORD &&
buffer->DataLength == sizeof(ULONG)
)
{
serviceType = *(PULONG)buffer->Data;
}
PhFree(buffer);
}
if (serviceImagePath = PhQueryRegistryString(keyHandle, L"ImagePath"))
{
PPH_STRING expandedString;
if (expandedString = PhExpandEnvironmentStrings(&serviceImagePath->sr))
{
binaryPath = expandedString;
PhDereferenceObject(serviceImagePath);
}
else
{
binaryPath = serviceImagePath;
}
}
else
{
status = STATUS_NOT_FOUND;
}
NtClose(keyHandle);
}
if (NT_SUCCESS(status))
{
PhGetServiceDllParameter(ServiceName, &fileName);
if (!fileName)
{
if (serviceType & SERVICE_WIN32)
{
PH_STRINGREF dummyFileName;
PH_STRINGREF dummyArguments;
PhParseCommandLineFuzzy(&binaryPath->sr, &dummyFileName, &dummyArguments, &fileName);
if (!fileName)
PhSwapReference(&fileName, binaryPath);
}
else
{
fileName = PhGetFileName(binaryPath);
}
}
*ServiceFileName = fileName;
*ServiceBinaryPath = binaryPath;
}
else
{
if (binaryPath)
PhDereferenceObject(binaryPath);
}
PhDereferenceObject(keyName);
return status;
}
static PPH_PROCESS_ITEM PhpCreateProcessItemForHiddenProcess(
_In_ PPH_HIDDEN_PROCESS_ENTRY Entry
)
{
NTSTATUS status;
PPH_PROCESS_ITEM processItem;
PPH_PROCESS_ITEM idleProcessItem;
HANDLE processHandle;
PROCESS_BASIC_INFORMATION basicInfo;
KERNEL_USER_TIMES times;
PROCESS_PRIORITY_CLASS priorityClass;
ULONG handleCount;
HANDLE processHandle2;
if (Entry->Type == NormalProcess)
{
processItem = PhReferenceProcessItem(Entry->ProcessId);
if (processItem)
return processItem;
}
processItem = PhCreateProcessItem(Entry->ProcessId);
// Mark the process as terminated if necessary.
if (Entry->Type == TerminatedProcess)
processItem->State |= PH_PROCESS_ITEM_REMOVED;
// We need a process record. Just use the record of System Idle Process.
if (idleProcessItem = PhReferenceProcessItem(SYSTEM_IDLE_PROCESS_ID))
{
processItem->Record = idleProcessItem->Record;
PhReferenceProcessRecord(processItem->Record);
}
else
{
PhDereferenceObject(processItem);
return NULL;
}
// Set up the file name and process name.
PhSwapReference(&processItem->FileName, Entry->FileName);
if (processItem->FileName)
{
processItem->ProcessName = PhGetBaseName(processItem->FileName);
}
else
{
processItem->ProcessName = PhCreateString(L"Unknown");
}
if (ProcessesMethod == BruteForceScanMethod)
{
status = PhOpenProcess(
&processHandle,
ProcessQueryAccess,
Entry->ProcessId
);
}
else
{
status = PhOpenProcessByCsrHandles(
&processHandle,
ProcessQueryAccess,
Entry->ProcessId
);
}
if (NT_SUCCESS(status))
{
// Basic information and not-so-dynamic information
processItem->QueryHandle = processHandle;
if (NT_SUCCESS(PhGetProcessBasicInformation(processHandle, &basicInfo)))
{
processItem->ParentProcessId = basicInfo.InheritedFromUniqueProcessId;
processItem->BasePriority = basicInfo.BasePriority;
}
PhGetProcessSessionId(processHandle, &processItem->SessionId);
PhPrintUInt32(processItem->ParentProcessIdString, HandleToUlong(processItem->ParentProcessId));
PhPrintUInt32(processItem->SessionIdString, processItem->SessionId);
if (NT_SUCCESS(PhGetProcessTimes(processHandle, ×)))
{
processItem->CreateTime = times.CreateTime;
processItem->KernelTime = times.KernelTime;
processItem->UserTime = times.UserTime;
}
// TODO: Token information?
if (NT_SUCCESS(NtQueryInformationProcess(
processHandle,
ProcessPriorityClass,
&priorityClass,
sizeof(PROCESS_PRIORITY_CLASS),
NULL
)))
{
processItem->PriorityClass = priorityClass.PriorityClass;
}
if (NT_SUCCESS(NtQueryInformationProcess(
processHandle,
ProcessHandleCount,
&handleCount,
sizeof(ULONG),
NULL
)))
{
processItem->NumberOfHandles = handleCount;
}
}
// Stage 1
// Some copy and paste magic here...
if (processItem->FileName)
{
// Small icon, large icon.
ExtractIconEx(
processItem->FileName->Buffer,
0,
&processItem->LargeIcon,
&processItem->SmallIcon,
1
);
// Version info.
PhInitializeImageVersionInfo(&processItem->VersionInfo, processItem->FileName->Buffer);
}
// Use the default EXE icon if we didn't get the file's icon.
{
if (!processItem->SmallIcon || !processItem->LargeIcon)
{
if (processItem->SmallIcon)
{
DestroyIcon(processItem->SmallIcon);
processItem->SmallIcon = NULL;
}
else if (processItem->LargeIcon)
{
DestroyIcon(processItem->LargeIcon);
processItem->LargeIcon = NULL;
}
PhGetStockApplicationIcon(&processItem->SmallIcon, &processItem->LargeIcon);
processItem->SmallIcon = DuplicateIcon(NULL, processItem->SmallIcon);
processItem->LargeIcon = DuplicateIcon(NULL, processItem->LargeIcon);
}
}
// POSIX, command line
status = PhOpenProcess(
&processHandle2,
ProcessQueryAccess | PROCESS_VM_READ,
Entry->ProcessId
);
if (NT_SUCCESS(status))
{
BOOLEAN isPosix = FALSE;
PPH_STRING commandLine;
ULONG i;
status = PhGetProcessIsPosix(processHandle2, &isPosix);
processItem->IsPosix = isPosix;
if (!NT_SUCCESS(status) || !isPosix)
{
status = PhGetProcessCommandLine(processHandle2, &commandLine);
if (NT_SUCCESS(status))
{
// Some command lines (e.g. from taskeng.exe) have nulls in them.
// Since Windows can't display them, we'll replace them with
// spaces.
for (i = 0; i < (ULONG)commandLine->Length / 2; i++)
{
if (commandLine->Buffer[i] == 0)
commandLine->Buffer[i] = ' ';
}
}
}
else
{
// Get the POSIX command line.
status = PhGetProcessPosixCommandLine(processHandle2, &commandLine);
}
if (NT_SUCCESS(status))
{
processItem->CommandLine = commandLine;
}
NtClose(processHandle2);
}
// TODO: Other stage 1 tasks.
PhSetEvent(&processItem->Stage1Event);
return processItem;
}
