VOID NTAPI PhpSymbolProviderDeleteProcedure(
_In_ PVOID Object,
_In_ ULONG Flags
)
{
PPH_SYMBOL_PROVIDER symbolProvider = (PPH_SYMBOL_PROVIDER)Object;
PLIST_ENTRY listEntry;
PhDeleteCallback(&symbolProvider->EventCallback);
if (SymCleanup_I)
{
PH_LOCK_SYMBOLS();
if (symbolProvider->IsRegistered)
SymCleanup_I(symbolProvider->ProcessHandle);
PH_UNLOCK_SYMBOLS();
}
listEntry = symbolProvider->ModulesListHead.Flink;
while (listEntry != &symbolProvider->ModulesListHead)
{
PPH_SYMBOL_MODULE module;
module = CONTAINING_RECORD(listEntry, PH_SYMBOL_MODULE, ListEntry);
listEntry = listEntry->Flink;
PhpFreeSymbolModule(module);
}
if (symbolProvider->IsRealHandle) NtClose(symbolProvider->ProcessHandle);
}
VOID PhpThreadProviderDeleteProcedure(
_In_ PVOID Object,
_In_ ULONG Flags
)
{
PPH_THREAD_PROVIDER threadProvider = (PPH_THREAD_PROVIDER)Object;
PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectDelete);
// Dereference all thread items (we referenced them
// when we added them to the hashtable).
PhDereferenceAllThreadItems(threadProvider);
PhDereferenceObject(threadProvider->ThreadHashtable);
PhDeleteFastLock(&threadProvider->ThreadHashtableLock);
PhDeleteCallback(&threadProvider->ThreadAddedEvent);
PhDeleteCallback(&threadProvider->ThreadModifiedEvent);
PhDeleteCallback(&threadProvider->ThreadRemovedEvent);
PhDeleteCallback(&threadProvider->UpdatedEvent);
PhDeleteCallback(&threadProvider->LoadingStateChangedEvent);
// Destroy all queue items.
{
PSLIST_ENTRY entry;
PPH_THREAD_QUERY_DATA data;
entry = RtlInterlockedFlushSList(&threadProvider->QueryListHead);
while (entry)
{
data = CONTAINING_RECORD(entry, PH_THREAD_QUERY_DATA, ListEntry);
entry = entry->Next;
PhClearReference(&data->StartAddressString);
PhClearReference(&data->ServiceName);
PhDereferenceObject(data->ThreadItem);
PhFree(data);
}
}
// We don't close the process handle because it is owned by
// the symbol provider.
if (threadProvider->SymbolProvider) PhDereferenceObject(threadProvider->SymbolProvider);
}
VOID PhpHandleProviderDeleteProcedure(
__in PVOID Object,
__in ULONG Flags
)
{
PPH_HANDLE_PROVIDER handleProvider = (PPH_HANDLE_PROVIDER)Object;
// Dereference all handle items (we referenced them
// when we added them to the hashtable).
PhDereferenceAllHandleItems(handleProvider);
PhFree(handleProvider->HandleHashSet);
PhDeleteCallback(&handleProvider->HandleAddedEvent);
PhDeleteCallback(&handleProvider->HandleModifiedEvent);
PhDeleteCallback(&handleProvider->HandleRemovedEvent);
if (handleProvider->ProcessHandle) NtClose(handleProvider->ProcessHandle);
PhDereferenceObject(handleProvider->TempListHashtable);
}
VOID PhpModuleProviderDeleteProcedure(
_In_ PVOID Object,
_In_ ULONG Flags
)
{
PPH_MODULE_PROVIDER moduleProvider = (PPH_MODULE_PROVIDER)Object;
PhEmCallObjectOperation(EmModuleProviderType, moduleProvider, EmObjectDelete);
// Dereference all module items (we referenced them
// when we added them to the hashtable).
PhDereferenceAllModuleItems(moduleProvider);
PhDereferenceObject(moduleProvider->ModuleHashtable);
PhDeleteFastLock(&moduleProvider->ModuleHashtableLock);
PhDeleteCallback(&moduleProvider->ModuleAddedEvent);
PhDeleteCallback(&moduleProvider->ModuleModifiedEvent);
PhDeleteCallback(&moduleProvider->ModuleRemovedEvent);
PhDeleteCallback(&moduleProvider->UpdatedEvent);
// Destroy all queue items.
{
PSLIST_ENTRY entry;
PPH_MODULE_QUERY_DATA data;
entry = RtlInterlockedFlushSList(&moduleProvider->QueryListHead);
while (entry)
{
data = CONTAINING_RECORD(entry, PH_MODULE_QUERY_DATA, ListEntry);
entry = entry->Next;
if (data->VerifySignerName) PhDereferenceObject(data->VerifySignerName);
PhDereferenceObject(data->ModuleItem);
PhFree(data);
}
}
if (moduleProvider->PackageFullName) PhDereferenceObject(moduleProvider->PackageFullName);
if (moduleProvider->ProcessHandle) NtClose(moduleProvider->ProcessHandle);
}
