static BOOLEAN LoadSymbolsEnumGenericModulesCallback(
_In_ PPH_MODULE_INFO Module,
_In_opt_ PVOID Context
)
{
PNETWORK_STACK_CONTEXT context = Context;
PPH_SYMBOL_PROVIDER symbolProvider = context->SymbolProvider;
// If we're loading kernel module symbols for a process other than
// System, ignore modules which are in user space. This may happen
// in Windows 7.
if (
context->LoadingProcessId == SYSTEM_PROCESS_ID &&
context->NetworkItem->ProcessId != SYSTEM_PROCESS_ID &&
(ULONG_PTR)Module->BaseAddress <= PhSystemBasicInformation.MaximumUserModeAddress
)
return TRUE;
PhLoadModuleSymbolProvider(
symbolProvider,
Module->FileName->Buffer,
(ULONG64)Module->BaseAddress,
Module->Size
);
return TRUE;
}
NTSTATUS PhSipLoadMmAddresses(
_In_ PVOID Parameter
)
{
PRTL_PROCESS_MODULES kernelModules;
PPH_SYMBOL_PROVIDER symbolProvider;
PPH_STRING kernelFileName;
PPH_STRING newFileName;
PH_SYMBOL_INFORMATION symbolInfo;
if (NT_SUCCESS(PhEnumKernelModules(&kernelModules)))
{
if (kernelModules->NumberOfModules >= 1)
{
symbolProvider = PhCreateSymbolProvider(NULL);
PhLoadSymbolProviderOptions(symbolProvider);
kernelFileName = PH_AUTO(PhConvertMultiByteToUtf16(kernelModules->Modules[0].FullPathName));
newFileName = PH_AUTO(PhGetFileName(kernelFileName));
PhLoadModuleSymbolProvider(
symbolProvider,
newFileName->Buffer,
(ULONG64)kernelModules->Modules[0].ImageBase,
kernelModules->Modules[0].ImageSize
);
if (PhGetSymbolFromName(
symbolProvider,
L"MmSizeOfPagedPoolInBytes",
&symbolInfo
))
{
MmSizeOfPagedPoolInBytes = (PSIZE_T)symbolInfo.Address;
}
if (PhGetSymbolFromName(
symbolProvider,
L"MmMaximumNonPagedPoolInBytes",
&symbolInfo
))
{
MmMaximumNonPagedPoolInBytes = (PSIZE_T)symbolInfo.Address;
}
PhDereferenceObject(symbolProvider);
}
PhFree(kernelModules);
}
return STATUS_SUCCESS;
}
static BOOLEAN NTAPI EnumGenericModulesCallback(
__in PPH_MODULE_INFO Module,
__in_opt PVOID Context
)
{
if (Module->Type == PH_MODULE_TYPE_MODULE || Module->Type == PH_MODULE_TYPE_WOW64_MODULE)
{
PhLoadModuleSymbolProvider(Context, Module->FileName->Buffer,
(ULONG64)Module->BaseAddress, Module->Size);
}
return TRUE;
}
static BOOLEAN NTAPI EnumGenericModulesCallback(
_In_ PPH_MODULE_INFO Module,
_In_opt_ PVOID Context
)
{
PWS_WATCH_CONTEXT context = Context;
// If we're loading kernel module symbols for a process other than
// System, ignore modules which are in user space. This may happen
// in Windows 7.
if (
context->LoadingSymbolsForProcessId == SYSTEM_PROCESS_ID &&
(ULONG_PTR)Module->BaseAddress <= PhSystemBasicInformation.MaximumUserModeAddress
)
return TRUE;
PhLoadModuleSymbolProvider(context->SymbolProvider, Module->FileName->Buffer,
(ULONG64)Module->BaseAddress, Module->Size);
return TRUE;
}
static BOOLEAN LoadBasicSymbolsEnumGenericModulesCallback(
__in PPH_MODULE_INFO Module,
__in_opt PVOID Context
)
{
PPH_THREAD_SYMBOL_LOAD_CONTEXT context = Context;
PPH_SYMBOL_PROVIDER symbolProvider = context->SymbolProvider;
if (
PhEqualString2(Module->Name, L"ntdll.dll", TRUE) ||
PhEqualString2(Module->Name, L"kernel32.dll", TRUE)
)
{
PhLoadModuleSymbolProvider(
symbolProvider,
Module->FileName->Buffer,
(ULONG64)Module->BaseAddress,
Module->Size
);
}
return TRUE;
}
NTSTATUS PhpThreadProviderLoadSymbols(
__in PVOID Parameter
)
{
PPH_THREAD_PROVIDER threadProvider = (PPH_THREAD_PROVIDER)Parameter;
PH_THREAD_SYMBOL_LOAD_CONTEXT loadContext;
loadContext.ThreadProvider = threadProvider;
loadContext.SymbolProvider = threadProvider->SymbolProvider;
PhLoadSymbolProviderOptions(threadProvider->SymbolProvider);
if (threadProvider->ProcessId != SYSTEM_IDLE_PROCESS_ID)
{
if (
threadProvider->SymbolProvider->IsRealHandle ||
threadProvider->ProcessId == SYSTEM_PROCESS_ID
)
{
loadContext.ProcessId = threadProvider->ProcessId;
PhEnumGenericModules(
threadProvider->ProcessId,
threadProvider->SymbolProvider->ProcessHandle,
0,
LoadSymbolsEnumGenericModulesCallback,
&loadContext
);
}
else
{
// We can't enumerate the process modules. Load
// symbols for ntdll.dll and kernel32.dll.
loadContext.ProcessId = NtCurrentProcessId();
PhEnumGenericModules(
NtCurrentProcessId(),
NtCurrentProcess(),
0,
LoadBasicSymbolsEnumGenericModulesCallback,
&loadContext
);
}
// Load kernel module symbols as well.
if (threadProvider->ProcessId != SYSTEM_PROCESS_ID)
{
loadContext.ProcessId = SYSTEM_PROCESS_ID;
PhEnumGenericModules(
SYSTEM_PROCESS_ID,
NULL,
0,
LoadSymbolsEnumGenericModulesCallback,
&loadContext
);
}
}
else
{
// System Idle Process has one thread for each CPU,
// each having a start address at KiIdleLoop. We
// need to load symbols for the kernel.
PRTL_PROCESS_MODULES kernelModules;
if (NT_SUCCESS(PhEnumKernelModules(&kernelModules)))
{
if (kernelModules->NumberOfModules > 0)
{
PPH_STRING fileName;
PPH_STRING newFileName;
fileName = PhCreateStringFromAnsi(kernelModules->Modules[0].FullPathName);
newFileName = PhGetFileName(fileName);
PhDereferenceObject(fileName);
PhLoadModuleSymbolProvider(
threadProvider->SymbolProvider,
newFileName->Buffer,
(ULONG64)kernelModules->Modules[0].ImageBase,
kernelModules->Modules[0].ImageSize
);
PhDereferenceObject(newFileName);
}
PhFree(kernelModules);
}
}
// Check if the process has services - we'll need to know before getting service tag/name
// information.
if (WINDOWS_HAS_SERVICE_TAGS)
{
PPH_PROCESS_ITEM processItem;
if (processItem = PhReferenceProcessItem(threadProvider->ProcessId))
{
threadProvider->HasServices = processItem->ServiceList && processItem->ServiceList->Count != 0;
PhDereferenceObject(processItem);
}
}
PhSetEvent(&threadProvider->SymbolsLoadedEvent);
PhDereferenceObject(threadProvider);
return STATUS_SUCCESS;
}
VOID PhLoadSymbolsThreadProvider(
_In_ PPH_THREAD_PROVIDER ThreadProvider
)
{
PH_THREAD_SYMBOL_LOAD_CONTEXT loadContext;
ULONG64 runId;
loadContext.ThreadProvider = ThreadProvider;
loadContext.SymbolProvider = ThreadProvider->SymbolProvider;
PhAcquireQueuedLockExclusive(&ThreadProvider->LoadSymbolsLock);
runId = ThreadProvider->RunId;
PhLoadSymbolProviderOptions(ThreadProvider->SymbolProvider);
if (ThreadProvider->ProcessId != SYSTEM_IDLE_PROCESS_ID)
{
if (ThreadProvider->SymbolProvider->IsRealHandle ||
ThreadProvider->ProcessId == SYSTEM_PROCESS_ID)
{
loadContext.ProcessId = ThreadProvider->ProcessId;
PhEnumGenericModules(
ThreadProvider->ProcessId,
ThreadProvider->SymbolProvider->ProcessHandle,
0,
LoadSymbolsEnumGenericModulesCallback,
&loadContext
);
}
else
{
// We can't enumerate the process modules. Load
// symbols for ntdll.dll and kernel32.dll.
loadContext.ProcessId = NtCurrentProcessId();
PhEnumGenericModules(
NtCurrentProcessId(),
NtCurrentProcess(),
0,
LoadBasicSymbolsEnumGenericModulesCallback,
&loadContext
);
}
// Load kernel module symbols as well.
if (ThreadProvider->ProcessId != SYSTEM_PROCESS_ID)
{
loadContext.ProcessId = SYSTEM_PROCESS_ID;
PhEnumGenericModules(
SYSTEM_PROCESS_ID,
NULL,
0,
LoadSymbolsEnumGenericModulesCallback,
&loadContext
);
}
}
else
{
// System Idle Process has one thread for each CPU,
// each having a start address at KiIdleLoop. We
// need to load symbols for the kernel.
PRTL_PROCESS_MODULES kernelModules;
if (NT_SUCCESS(PhEnumKernelModules(&kernelModules)))
{
if (kernelModules->NumberOfModules > 0)
{
PPH_STRING fileName;
PPH_STRING newFileName;
fileName = PhConvertMultiByteToUtf16(kernelModules->Modules[0].FullPathName);
newFileName = PhGetFileName(fileName);
PhDereferenceObject(fileName);
PhLoadModuleSymbolProvider(
ThreadProvider->SymbolProvider,
newFileName->Buffer,
(ULONG64)kernelModules->Modules[0].ImageBase,
kernelModules->Modules[0].ImageSize
);
PhDereferenceObject(newFileName);
}
PhFree(kernelModules);
}
}
ThreadProvider->SymbolsLoadedRunId = runId;
PhReleaseQueuedLockExclusive(&ThreadProvider->LoadSymbolsLock);
}