VOID ProcessesUpdatedCallback( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { static ULONG ProcessesUpdatedCount = 0; PLIST_ENTRY listEntry; if (!VirusTotalScanningEnabled) return; if (ProcessesUpdatedCount < 2) { ProcessesUpdatedCount++; return; } listEntry = ProcessListHead.Flink; while (listEntry != &ProcessListHead) { PPROCESS_EXTENSION extension; PPH_STRING filePath = NULL; extension = CONTAINING_RECORD(listEntry, PROCESS_EXTENSION, ListEntry); if (extension->ProcessItem) { filePath = extension->ProcessItem->FileName; } else if (extension->ModuleItem) { filePath = extension->ModuleItem->FileName; } else if (extension->ServiceItem) { if (extension->FilePath) { filePath = extension->FilePath; } else { PPH_STRING serviceFileName = NULL; PPH_STRING serviceBinaryPath = NULL; if (NT_SUCCESS(QueryServiceFileName( &extension->ServiceItem->Name->sr, &serviceFileName, &serviceBinaryPath ))) { PhMoveReference(&extension->FilePath, serviceFileName); if (serviceBinaryPath) PhDereferenceObject(serviceBinaryPath); } filePath = extension->FilePath; } } if (!PhIsNullOrEmptyString(filePath)) { if (!extension->ResultValid) { PPROCESS_DB_OBJECT object; if (object = FindProcessDbObject(&filePath->sr)) { extension->Stage1 = TRUE; extension->ResultValid = TRUE; extension->Positives = object->Positives; PhSwapReference(&extension->VirusTotalResult, object->Result); } } if (!extension->Stage1) { if (!VirusTotalGetCachedResult(filePath)) { VirusTotalAddCacheResult(filePath, extension); } extension->Stage1 = TRUE; } } listEntry = listEntry->Flink; } }
BOOLEAN ServiceTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_SERVICE_NODE serviceNode = (PPH_SERVICE_NODE)Node; PPH_STRING serviceFileName = NULL; PPH_STRING serviceBinaryPath = NULL; if (PhIsNullOrEmptyString(SearchboxText)) return TRUE; if (WordMatchStringZ(PhGetServiceTypeString(serviceNode->ServiceItem->Type))) return TRUE; if (WordMatchStringZ(PhGetServiceStateString(serviceNode->ServiceItem->State))) return TRUE; if (WordMatchStringZ(PhGetServiceStartTypeString(serviceNode->ServiceItem->StartType))) return TRUE; if (WordMatchStringZ(PhGetServiceErrorControlString(serviceNode->ServiceItem->ErrorControl))) return TRUE; if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->Name)) { if (WordMatchStringRef(&serviceNode->ServiceItem->Name->sr)) return TRUE; } if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->DisplayName)) { if (WordMatchStringRef(&serviceNode->ServiceItem->DisplayName->sr)) return TRUE; } if (serviceNode->ServiceItem->ProcessId) { PPH_PROCESS_NODE processNode; if (WordMatchStringZ(serviceNode->ServiceItem->ProcessIdString)) return TRUE; // Search the process node if (processNode = PhFindProcessNode(serviceNode->ServiceItem->ProcessId)) { if (ProcessTreeFilterCallback(&processNode->Node, NULL)) return TRUE; } } if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->VerifySignerName)) { if (WordMatchStringRef(&serviceNode->ServiceItem->VerifySignerName->sr)) return TRUE; } if (serviceNode->ServiceItem->VerifyResult != VrUnknown) { switch (serviceNode->ServiceItem->VerifyResult) { case VrNoSignature: if (WordMatchStringZ(L"NoSignature")) return TRUE; break; case VrTrusted: if (WordMatchStringZ(L"Trusted")) return TRUE; break; case VrExpired: if (WordMatchStringZ(L"Expired")) return TRUE; break; case VrRevoked: if (WordMatchStringZ(L"Revoked")) return TRUE; break; case VrDistrust: if (WordMatchStringZ(L"Distrust")) return TRUE; break; case VrSecuritySettings: if (WordMatchStringZ(L"SecuritySettings")) return TRUE; break; case VrBadSignature: if (WordMatchStringZ(L"BadSignature")) return TRUE; break; default: if (WordMatchStringZ(L"Unknown")) return TRUE; break; } } if (NT_SUCCESS(QueryServiceFileName( &serviceNode->ServiceItem->Name->sr, &serviceFileName, &serviceBinaryPath ))) { BOOLEAN matched = FALSE; if (serviceFileName) { if (WordMatchStringRef(&serviceFileName->sr)) { matched = TRUE; } PhDereferenceObject(serviceFileName); } if (serviceBinaryPath) { if (WordMatchStringRef(&serviceBinaryPath->sr)) { matched = TRUE; } PhDereferenceObject(serviceBinaryPath); } if (matched) return TRUE; } return FALSE; }
BOOLEAN ProcessTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_PROCESS_NODE processNode = (PPH_PROCESS_NODE)Node; if (PhIsNullOrEmptyString(SearchboxText)) return TRUE; if (!PhIsNullOrEmptyString(processNode->ProcessItem->ProcessName)) { if (WordMatchStringRef(&processNode->ProcessItem->ProcessName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->FileName)) { if (WordMatchStringRef(&processNode->ProcessItem->FileName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->CommandLine)) { if (WordMatchStringRef(&processNode->ProcessItem->CommandLine->sr)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.CompanyName)) { if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.CompanyName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.FileDescription)) { if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.FileDescription->sr)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.FileVersion)) { if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.FileVersion->sr)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.ProductName)) { if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.ProductName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->UserName)) { if (WordMatchStringRef(&processNode->ProcessItem->UserName->sr)) return TRUE; } if (processNode->ProcessItem->IntegrityString) { if (WordMatchStringZ(processNode->ProcessItem->IntegrityString)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->JobName)) { if (WordMatchStringRef(&processNode->ProcessItem->JobName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->VerifySignerName)) { if (WordMatchStringRef(&processNode->ProcessItem->VerifySignerName->sr)) return TRUE; } if (processNode->ProcessItem->ProcessIdString[0]) { if (WordMatchStringZ(processNode->ProcessItem->ProcessIdString)) return TRUE; } if (processNode->ProcessItem->ParentProcessIdString[0]) { if (WordMatchStringZ(processNode->ProcessItem->ParentProcessIdString)) return TRUE; } if (processNode->ProcessItem->SessionIdString[0]) { if (WordMatchStringZ(processNode->ProcessItem->SessionIdString)) return TRUE; } if (!PhIsNullOrEmptyString(processNode->ProcessItem->PackageFullName)) { if (WordMatchStringRef(&processNode->ProcessItem->PackageFullName->sr)) return TRUE; } if (WordMatchStringZ(PhGetProcessPriorityClassString(processNode->ProcessItem->PriorityClass))) { return TRUE; } if (processNode->ProcessItem->VerifyResult != VrUnknown) { switch (processNode->ProcessItem->VerifyResult) { case VrNoSignature: if (WordMatchStringZ(L"NoSignature")) return TRUE; break; case VrTrusted: if (WordMatchStringZ(L"Trusted")) return TRUE; break; case VrExpired: if (WordMatchStringZ(L"Expired")) return TRUE; break; case VrRevoked: if (WordMatchStringZ(L"Revoked")) return TRUE; break; case VrDistrust: if (WordMatchStringZ(L"Distrust")) return TRUE; break; case VrSecuritySettings: if (WordMatchStringZ(L"SecuritySettings")) return TRUE; break; case VrBadSignature: if (WordMatchStringZ(L"BadSignature")) return TRUE; break; default: if (WordMatchStringZ(L"Unknown")) return TRUE; break; } } if (processNode->ProcessItem->ElevationType != TokenElevationTypeDefault) { switch (processNode->ProcessItem->ElevationType) { case TokenElevationTypeLimited: if (WordMatchStringZ(L"Limited")) return TRUE; break; case TokenElevationTypeFull: if (WordMatchStringZ(L"Full")) return TRUE; break; default: if (WordMatchStringZ(L"Unknown")) return TRUE; break; } } if (WordMatchStringZ(L"IsBeingDebugged") && processNode->ProcessItem->IsBeingDebugged) { return TRUE; } if (WordMatchStringZ(L"IsDotNet") && processNode->ProcessItem->IsDotNet) { return TRUE; } if (WordMatchStringZ(L"IsElevated") && processNode->ProcessItem->IsElevated) { return TRUE; } if (WordMatchStringZ(L"IsInJob") && processNode->ProcessItem->IsInJob) { return TRUE; } if (WordMatchStringZ(L"IsInSignificantJob") && processNode->ProcessItem->IsInSignificantJob) { return TRUE; } if (WordMatchStringZ(L"IsPacked") && processNode->ProcessItem->IsPacked) { return TRUE; } if (WordMatchStringZ(L"IsSuspended") && processNode->ProcessItem->IsSuspended) { return TRUE; } if (WordMatchStringZ(L"IsWow64") && processNode->ProcessItem->IsWow64) { return TRUE; } if (WordMatchStringZ(L"IsImmersive") && processNode->ProcessItem->IsImmersive) { return TRUE; } if (WordMatchStringZ(L"IsProtectedProcess") && processNode->ProcessItem->IsProtectedProcess) { return TRUE; } if (WordMatchStringZ(L"IsSecureProcess") && processNode->ProcessItem->IsSecureProcess) { return TRUE; } if (WordMatchStringZ(L"IsPicoProcess") && processNode->ProcessItem->IsSubsystemProcess) { return TRUE; } if (processNode->ProcessItem->ServiceList && processNode->ProcessItem->ServiceList->Count) { ULONG enumerationKey = 0; PPH_SERVICE_ITEM serviceItem; PPH_LIST serviceList; ULONG i; BOOLEAN matched = FALSE; // Copy the service list so we can search it. serviceList = PhCreateList(processNode->ProcessItem->ServiceList->Count); PhAcquireQueuedLockShared(&processNode->ProcessItem->ServiceListLock); while (PhEnumPointerList( processNode->ProcessItem->ServiceList, &enumerationKey, &serviceItem )) { PhReferenceObject(serviceItem); PhAddItemList(serviceList, serviceItem); } PhReleaseQueuedLockShared(&processNode->ProcessItem->ServiceListLock); for (i = 0; i < serviceList->Count; i++) { PPH_STRING serviceFileName = NULL; PPH_STRING serviceBinaryPath = NULL; serviceItem = serviceList->Items[i]; if (!PhIsNullOrEmptyString(serviceItem->Name)) { if (WordMatchStringRef(&serviceItem->Name->sr)) { matched = TRUE; break; } } if (!PhIsNullOrEmptyString(serviceItem->DisplayName)) { if (WordMatchStringRef(&serviceItem->DisplayName->sr)) { matched = TRUE; break; } } if (serviceItem->ProcessId) { if (WordMatchStringZ(serviceItem->ProcessIdString)) { matched = TRUE; break; } } if (NT_SUCCESS(QueryServiceFileName( &serviceItem->Name->sr, &serviceFileName, &serviceBinaryPath ))) { if (serviceFileName) { if (WordMatchStringRef(&serviceFileName->sr)) { matched = TRUE; } PhDereferenceObject(serviceFileName); } if (serviceBinaryPath) { if (WordMatchStringRef(&serviceBinaryPath->sr)) { matched = TRUE; } PhDereferenceObject(serviceBinaryPath); } if (matched) break; } } PhDereferenceObjects(serviceList->Items, serviceList->Count); PhDereferenceObject(serviceList); if (matched) return TRUE; } return FALSE; }
BOOLEAN ServiceTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_SERVICE_NODE serviceNode = (PPH_SERVICE_NODE)Node; PPH_STRING serviceFileName = NULL; PPH_STRING serviceBinaryPath = NULL; if (PhIsNullOrEmptyString(SearchboxText)) return TRUE; if (WordMatchStringZ(PhGetServiceTypeString(serviceNode->ServiceItem->Type))) return TRUE; if (WordMatchStringZ(PhGetServiceStateString(serviceNode->ServiceItem->State))) return TRUE; if (WordMatchStringZ(PhGetServiceStartTypeString(serviceNode->ServiceItem->StartType))) return TRUE; if (WordMatchStringZ(PhGetServiceErrorControlString(serviceNode->ServiceItem->ErrorControl))) return TRUE; if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->Name)) { if (WordMatchStringRef(&serviceNode->ServiceItem->Name->sr)) return TRUE; } if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->DisplayName)) { if (WordMatchStringRef(&serviceNode->ServiceItem->DisplayName->sr)) return TRUE; } if (serviceNode->ServiceItem->ProcessId) { PPH_PROCESS_NODE processNode; WCHAR processIdString[PH_INT32_STR_LEN_1]; PhPrintUInt32(processIdString, HandleToUlong(serviceNode->ServiceItem->ProcessId)); if (WordMatchStringZ(processIdString)) return TRUE; // Search the process node if (processNode = PhFindProcessNode(serviceNode->ServiceItem->ProcessId)) { if (ProcessTreeFilterCallback(&processNode->Node, NULL)) return TRUE; } } if (NT_SUCCESS(QueryServiceFileName( &serviceNode->ServiceItem->Name->sr, &serviceFileName, &serviceBinaryPath ))) { BOOLEAN matched = FALSE; if (serviceFileName) { if (WordMatchStringRef(&serviceFileName->sr)) { matched = TRUE; } PhDereferenceObject(serviceFileName); } if (serviceBinaryPath) { if (WordMatchStringRef(&serviceBinaryPath->sr)) { matched = TRUE; } PhDereferenceObject(serviceBinaryPath); } if (matched) return TRUE; } return FALSE; }