/** * Determines the type of a process based on its image file name. * * \param ProcessHandle A handle to a process. * \param KnownProcessType A variable which receives the process * type. */ NTSTATUS PhGetProcessKnownType( __in HANDLE ProcessHandle, __out PH_KNOWN_PROCESS_TYPE *KnownProcessType ) { NTSTATUS status; PH_KNOWN_PROCESS_TYPE knownProcessType; PROCESS_BASIC_INFORMATION basicInfo; PH_STRINGREF systemRootPrefix; PPH_STRING fileName; PPH_STRING newFileName; PH_STRINGREF name; #ifdef _M_X64 BOOLEAN isWow64 = FALSE; #endif if (!NT_SUCCESS(status = PhGetProcessBasicInformation( ProcessHandle, &basicInfo ))) return status; if (basicInfo.UniqueProcessId == SYSTEM_PROCESS_ID) { *KnownProcessType = SystemProcessType; return STATUS_SUCCESS; } PhGetSystemRoot(&systemRootPrefix); if (!NT_SUCCESS(status = PhGetProcessImageFileName( ProcessHandle, &fileName ))) { return status; } newFileName = PhGetFileName(fileName); PhDereferenceObject(fileName); name = newFileName->sr; knownProcessType = UnknownProcessType; if (PhStartsWithStringRef(&name, &systemRootPrefix, TRUE)) { // Skip the system root, and we now have three cases: // 1. \\xyz.exe - Windows executable. // 2. \\System32\\xyz.exe - system32 executable. // 3. \\SysWow64\\xyz.exe - system32 executable + WOW64. name.Buffer += systemRootPrefix.Length / 2; name.Length -= systemRootPrefix.Length; if (PhEqualStringRef2(&name, L"\\explorer.exe", TRUE)) { knownProcessType = ExplorerProcessType; } else if ( PhStartsWithStringRef2(&name, L"\\System32", TRUE) #ifdef _M_X64 || (PhStartsWithStringRef2(&name, L"\\SysWow64", TRUE) && (isWow64 = TRUE, TRUE)) // ugly but necessary #endif ) { // SysTem32 and SysWow64 are both 8 characters long. name.Buffer += 9; name.Length -= 9 * 2; if (FALSE) ; // Dummy else if (PhEqualStringRef2(&name, L"\\smss.exe", TRUE)) knownProcessType = SessionManagerProcessType; else if (PhEqualStringRef2(&name, L"\\csrss.exe", TRUE)) knownProcessType = WindowsSubsystemProcessType; else if (PhEqualStringRef2(&name, L"\\wininit.exe", TRUE)) knownProcessType = WindowsStartupProcessType; else if (PhEqualStringRef2(&name, L"\\services.exe", TRUE)) knownProcessType = ServiceControlManagerProcessType; else if (PhEqualStringRef2(&name, L"\\lsass.exe", TRUE)) knownProcessType = LocalSecurityAuthorityProcessType; else if (PhEqualStringRef2(&name, L"\\lsm.exe", TRUE)) knownProcessType = LocalSessionManagerProcessType; else if (PhEqualStringRef2(&name, L"\\winlogon.exe", TRUE)) knownProcessType = WindowsLogonProcessType; else if (PhEqualStringRef2(&name, L"\\svchost.exe", TRUE)) knownProcessType = ServiceHostProcessType; else if (PhEqualStringRef2(&name, L"\\rundll32.exe", TRUE)) knownProcessType = RunDllAsAppProcessType; else if (PhEqualStringRef2(&name, L"\\dllhost.exe", TRUE)) knownProcessType = ComSurrogateProcessType; else if (PhEqualStringRef2(&name, L"\\taskeng.exe", TRUE)) knownProcessType = TaskHostProcessType; else if (PhEqualStringRef2(&name, L"\\taskhost.exe", TRUE)) knownProcessType = TaskHostProcessType; } } PhDereferenceObject(newFileName); #ifdef _M_X64 if (isWow64) knownProcessType |= KnownProcessWow64; #endif *KnownProcessType = knownProcessType; return status; }
PPH_STRING PhFormatNativeKeyName( __in PPH_STRING Name ) { static PH_STRINGREF hklmPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine"); static PH_STRINGREF hkcrPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine\\Software\\Classes"); static PH_STRINGREF hkuPrefix = PH_STRINGREF_INIT(L"\\Registry\\User"); static PPH_STRING hkcuPrefix; static PPH_STRING hkcucrPrefix; static PH_STRINGREF hklmString = PH_STRINGREF_INIT(L"HKLM"); static PH_STRINGREF hkcrString = PH_STRINGREF_INIT(L"HKCR"); static PH_STRINGREF hkuString = PH_STRINGREF_INIT(L"HKU"); static PH_STRINGREF hkcuString = PH_STRINGREF_INIT(L"HKCU"); static PH_STRINGREF hkcucrString = PH_STRINGREF_INIT(L"HKCU\\Software\\Classes"); static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_STRING newName; PH_STRINGREF name; if (PhBeginInitOnce(&initOnce)) { PTOKEN_USER tokenUser; PPH_STRING stringSid = NULL; if (PhCurrentTokenQueryHandle) { if (NT_SUCCESS(PhGetTokenUser( PhCurrentTokenQueryHandle, &tokenUser ))) { stringSid = PhSidToStringSid(tokenUser->User.Sid); PhFree(tokenUser); } } if (stringSid) { static PH_STRINGREF registryUserPrefix = PH_STRINGREF_INIT(L"\\Registry\\User\\"); static PH_STRINGREF classesString = PH_STRINGREF_INIT(L"_Classes"); hkcuPrefix = PhConcatStringRef2(®istryUserPrefix, &stringSid->sr); hkcucrPrefix = PhConcatStringRef2(&hkcuPrefix->sr, &classesString); PhDereferenceObject(stringSid); } else { hkcuPrefix = PhCreateString(L"..."); // some random string that won't ever get matched hkcucrPrefix = PhCreateString(L"..."); } PhEndInitOnce(&initOnce); } name = Name->sr; if (PhStartsWithStringRef(&name, &hkcrPrefix, TRUE)) { name.Buffer += hkcrPrefix.Length / sizeof(WCHAR); name.Length -= hkcrPrefix.Length; newName = PhConcatStringRef2(&hkcrString, &name); } else if (PhStartsWithStringRef(&name, &hklmPrefix, TRUE)) { name.Buffer += hklmPrefix.Length / sizeof(WCHAR); name.Length -= hklmPrefix.Length; newName = PhConcatStringRef2(&hklmString, &name); } else if (PhStartsWithStringRef(&name, &hkcucrPrefix->sr, TRUE)) { name.Buffer += hkcucrPrefix->Length / sizeof(WCHAR); name.Length -= hkcucrPrefix->Length; newName = PhConcatStringRef2(&hkcucrString, &name); } else if (PhStartsWithStringRef(&name, &hkcuPrefix->sr, TRUE)) { name.Buffer += hkcuPrefix->Length / sizeof(WCHAR); name.Length -= hkcuPrefix->Length; newName = PhConcatStringRef2(&hkcuString, &name); } else if (PhStartsWithStringRef(&name, &hkuPrefix, TRUE)) { name.Buffer += hkuPrefix.Length / sizeof(WCHAR); name.Length -= hkuPrefix.Length; newName = PhConcatStringRef2(&hkuString, &name); } else { newName = Name; PhReferenceObject(Name); } return newName; }
/** * Finds a child menu item. * * \param Item The parent menu item. * \param Flags A combination of the following: * \li \c PH_EMENU_FIND_DESCEND Searches recursively within child * menu items. * \li \c PH_EMENU_FIND_STARTSWITH Performs a partial text search * instead of an exact search. * \li \c PH_EMENU_FIND_LITERAL Performs a literal search instead of * ignoring prefix characters (ampersands). * \param Text The text of the menu item to find. If NULL, the text * is ignored. * \param Id The identifier of the menu item to find. If 0, the * identifier is ignored. * * \return The found menu item, or NULL if the menu item could not * be found. */ PPH_EMENU_ITEM PhFindEMenuItem( __in PPH_EMENU_ITEM Item, __in ULONG Flags, __in_opt PWSTR Text, __in_opt ULONG Id ) { ULONG i; PH_STRINGREF searchText; if (!Item->Items) return NULL; if (Text && (Flags & PH_EMENU_FIND_LITERAL)) PhInitializeStringRef(&searchText, Text); for (i = 0; i < Item->Items->Count; i++) { PPH_EMENU_ITEM item; item = Item->Items->Items[i]; if (Text) { if (Flags & PH_EMENU_FIND_LITERAL) { PH_STRINGREF text; PhInitializeStringRef(&text, item->Text); if (Flags & PH_EMENU_FIND_STARTSWITH) { if (PhStartsWithStringRef(&text, &searchText, TRUE)) return item; } else { if (PhEqualStringRef(&text, &searchText, TRUE)) return item; } } else { if (PhCompareUnicodeStringZIgnoreMenuPrefix(Text, item->Text, TRUE, !!(Flags & PH_EMENU_FIND_STARTSWITH)) == 0) return item; } } if (Id && item->Id == Id) return item; if (Flags & PH_EMENU_FIND_DESCEND) { PPH_EMENU_ITEM foundItem; foundItem = PhFindEMenuItem(item, Flags, Text, Id); if (foundItem) return foundItem; } } return NULL; }
/** * Finds a child menu item. * * \param Item The parent menu item. * \param Flags A combination of the following: * \li \c PH_EMENU_FIND_DESCEND Searches recursively within child menu items. * \li \c PH_EMENU_FIND_STARTSWITH Performs a partial text search instead of an exact search. * \li \c PH_EMENU_FIND_LITERAL Performs a literal search instead of ignoring prefix characters * (ampersands). * \param Text The text of the menu item to find. If NULL, the text is ignored. * \param Id The identifier of the menu item to find. If 0, the identifier is ignored. * \param FoundParent A variable which receives the parent of the found menu item. * \param FoundIndex A variable which receives the index of the found menu item. * * \return The found menu item, or NULL if the menu item could not be found. */ PPH_EMENU_ITEM PhFindEMenuItemEx( _In_ PPH_EMENU_ITEM Item, _In_ ULONG Flags, _In_opt_ PWSTR Text, _In_opt_ ULONG Id, _Out_opt_ PPH_EMENU_ITEM *FoundParent, _Out_opt_ PULONG FoundIndex ) { PH_STRINGREF searchText; ULONG i; PPH_EMENU_ITEM item; if (!Item->Items) return NULL; if (Text && (Flags & PH_EMENU_FIND_LITERAL)) PhInitializeStringRef(&searchText, Text); for (i = 0; i < Item->Items->Count; i++) { item = Item->Items->Items[i]; if (Text) { if (Flags & PH_EMENU_FIND_LITERAL) { PH_STRINGREF text; PhInitializeStringRef(&text, item->Text); if (Flags & PH_EMENU_FIND_STARTSWITH) { if (PhStartsWithStringRef(&text, &searchText, TRUE)) goto FoundItemHere; } else { if (PhEqualStringRef(&text, &searchText, TRUE)) goto FoundItemHere; } } else { if (PhCompareUnicodeStringZIgnoreMenuPrefix(Text, item->Text, TRUE, !!(Flags & PH_EMENU_FIND_STARTSWITH)) == 0) goto FoundItemHere; } } if (Id && item->Id == Id) goto FoundItemHere; if (Flags & PH_EMENU_FIND_DESCEND) { PPH_EMENU_ITEM foundItem; PPH_EMENU_ITEM foundParent; ULONG foundIndex; foundItem = PhFindEMenuItemEx(item, Flags, Text, Id, &foundParent, &foundIndex); if (foundItem) { if (FoundParent) *FoundParent = foundParent; if (FoundIndex) *FoundIndex = foundIndex; return foundItem; } } } return NULL; FoundItemHere: if (FoundParent) *FoundParent = Item; if (FoundIndex) *FoundIndex = i; return item; }