VOID ProcessesUpdatedCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
static ULONG ProcessesUpdatedCount = 0;
PLIST_ENTRY listEntry;
if (!VirusTotalScanningEnabled)
return;
if (ProcessesUpdatedCount < 2)
{
ProcessesUpdatedCount++;
return;
}
listEntry = ProcessListHead.Flink;
while (listEntry != &ProcessListHead)
{
PPROCESS_EXTENSION extension;
PPH_STRING filePath = NULL;
extension = CONTAINING_RECORD(listEntry, PROCESS_EXTENSION, ListEntry);
if (extension->ProcessItem)
{
filePath = extension->ProcessItem->FileName;
}
else if (extension->ModuleItem)
{
filePath = extension->ModuleItem->FileName;
}
else if (extension->ServiceItem)
{
if (extension->FilePath)
{
filePath = extension->FilePath;
}
else
{
PPH_STRING serviceFileName = NULL;
PPH_STRING serviceBinaryPath = NULL;
if (NT_SUCCESS(QueryServiceFileName(
&extension->ServiceItem->Name->sr,
&serviceFileName,
&serviceBinaryPath
)))
{
PhMoveReference(&extension->FilePath, serviceFileName);
if (serviceBinaryPath) PhDereferenceObject(serviceBinaryPath);
}
filePath = extension->FilePath;
}
}
if (!PhIsNullOrEmptyString(filePath))
{
if (!extension->ResultValid)
{
PPROCESS_DB_OBJECT object;
if (object = FindProcessDbObject(&filePath->sr))
{
extension->Stage1 = TRUE;
extension->ResultValid = TRUE;
extension->Positives = object->Positives;
PhSwapReference(&extension->VirusTotalResult, object->Result);
}
}
if (!extension->Stage1)
{
if (!VirusTotalGetCachedResult(filePath))
{
VirusTotalAddCacheResult(filePath, extension);
}
extension->Stage1 = TRUE;
}
}
listEntry = listEntry->Flink;
}
}
BOOLEAN ServiceTreeFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
)
{
PPH_SERVICE_NODE serviceNode = (PPH_SERVICE_NODE)Node;
PPH_STRING serviceFileName = NULL;
PPH_STRING serviceBinaryPath = NULL;
if (PhIsNullOrEmptyString(SearchboxText))
return TRUE;
if (WordMatchStringZ(PhGetServiceTypeString(serviceNode->ServiceItem->Type)))
return TRUE;
if (WordMatchStringZ(PhGetServiceStateString(serviceNode->ServiceItem->State)))
return TRUE;
if (WordMatchStringZ(PhGetServiceStartTypeString(serviceNode->ServiceItem->StartType)))
return TRUE;
if (WordMatchStringZ(PhGetServiceErrorControlString(serviceNode->ServiceItem->ErrorControl)))
return TRUE;
if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->Name))
{
if (WordMatchStringRef(&serviceNode->ServiceItem->Name->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->DisplayName))
{
if (WordMatchStringRef(&serviceNode->ServiceItem->DisplayName->sr))
return TRUE;
}
if (serviceNode->ServiceItem->ProcessId)
{
PPH_PROCESS_NODE processNode;
if (WordMatchStringZ(serviceNode->ServiceItem->ProcessIdString))
return TRUE;
// Search the process node
if (processNode = PhFindProcessNode(serviceNode->ServiceItem->ProcessId))
{
if (ProcessTreeFilterCallback(&processNode->Node, NULL))
return TRUE;
}
}
if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->VerifySignerName))
{
if (WordMatchStringRef(&serviceNode->ServiceItem->VerifySignerName->sr))
return TRUE;
}
if (serviceNode->ServiceItem->VerifyResult != VrUnknown)
{
switch (serviceNode->ServiceItem->VerifyResult)
{
case VrNoSignature:
if (WordMatchStringZ(L"NoSignature"))
return TRUE;
break;
case VrTrusted:
if (WordMatchStringZ(L"Trusted"))
return TRUE;
break;
case VrExpired:
if (WordMatchStringZ(L"Expired"))
return TRUE;
break;
case VrRevoked:
if (WordMatchStringZ(L"Revoked"))
return TRUE;
break;
case VrDistrust:
if (WordMatchStringZ(L"Distrust"))
return TRUE;
break;
case VrSecuritySettings:
if (WordMatchStringZ(L"SecuritySettings"))
return TRUE;
break;
case VrBadSignature:
if (WordMatchStringZ(L"BadSignature"))
return TRUE;
break;
default:
if (WordMatchStringZ(L"Unknown"))
return TRUE;
break;
}
}
if (NT_SUCCESS(QueryServiceFileName(
&serviceNode->ServiceItem->Name->sr,
&serviceFileName,
&serviceBinaryPath
)))
{
BOOLEAN matched = FALSE;
if (serviceFileName)
{
if (WordMatchStringRef(&serviceFileName->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceFileName);
}
if (serviceBinaryPath)
{
if (WordMatchStringRef(&serviceBinaryPath->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceBinaryPath);
}
if (matched)
return TRUE;
}
return FALSE;
}
BOOLEAN ProcessTreeFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
)
{
PPH_PROCESS_NODE processNode = (PPH_PROCESS_NODE)Node;
if (PhIsNullOrEmptyString(SearchboxText))
return TRUE;
if (!PhIsNullOrEmptyString(processNode->ProcessItem->ProcessName))
{
if (WordMatchStringRef(&processNode->ProcessItem->ProcessName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->FileName))
{
if (WordMatchStringRef(&processNode->ProcessItem->FileName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->CommandLine))
{
if (WordMatchStringRef(&processNode->ProcessItem->CommandLine->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.CompanyName))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.CompanyName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.FileDescription))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.FileDescription->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.FileVersion))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.FileVersion->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.ProductName))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.ProductName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->UserName))
{
if (WordMatchStringRef(&processNode->ProcessItem->UserName->sr))
return TRUE;
}
if (processNode->ProcessItem->IntegrityString)
{
if (WordMatchStringZ(processNode->ProcessItem->IntegrityString))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->JobName))
{
if (WordMatchStringRef(&processNode->ProcessItem->JobName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VerifySignerName))
{
if (WordMatchStringRef(&processNode->ProcessItem->VerifySignerName->sr))
return TRUE;
}
if (processNode->ProcessItem->ProcessIdString[0])
{
if (WordMatchStringZ(processNode->ProcessItem->ProcessIdString))
return TRUE;
}
if (processNode->ProcessItem->ParentProcessIdString[0])
{
if (WordMatchStringZ(processNode->ProcessItem->ParentProcessIdString))
return TRUE;
}
if (processNode->ProcessItem->SessionIdString[0])
{
if (WordMatchStringZ(processNode->ProcessItem->SessionIdString))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->PackageFullName))
{
if (WordMatchStringRef(&processNode->ProcessItem->PackageFullName->sr))
return TRUE;
}
if (WordMatchStringZ(PhGetProcessPriorityClassString(processNode->ProcessItem->PriorityClass)))
{
return TRUE;
}
if (processNode->ProcessItem->VerifyResult != VrUnknown)
{
switch (processNode->ProcessItem->VerifyResult)
{
case VrNoSignature:
if (WordMatchStringZ(L"NoSignature"))
return TRUE;
break;
case VrTrusted:
if (WordMatchStringZ(L"Trusted"))
return TRUE;
break;
case VrExpired:
if (WordMatchStringZ(L"Expired"))
return TRUE;
break;
case VrRevoked:
if (WordMatchStringZ(L"Revoked"))
return TRUE;
break;
case VrDistrust:
if (WordMatchStringZ(L"Distrust"))
return TRUE;
break;
case VrSecuritySettings:
if (WordMatchStringZ(L"SecuritySettings"))
return TRUE;
break;
case VrBadSignature:
if (WordMatchStringZ(L"BadSignature"))
return TRUE;
break;
default:
if (WordMatchStringZ(L"Unknown"))
return TRUE;
break;
}
}
if (processNode->ProcessItem->ElevationType != TokenElevationTypeDefault)
{
switch (processNode->ProcessItem->ElevationType)
{
case TokenElevationTypeLimited:
if (WordMatchStringZ(L"Limited"))
return TRUE;
break;
case TokenElevationTypeFull:
if (WordMatchStringZ(L"Full"))
return TRUE;
break;
default:
if (WordMatchStringZ(L"Unknown"))
return TRUE;
break;
}
}
if (WordMatchStringZ(L"IsBeingDebugged") && processNode->ProcessItem->IsBeingDebugged)
{
return TRUE;
}
if (WordMatchStringZ(L"IsDotNet") && processNode->ProcessItem->IsDotNet)
{
return TRUE;
}
if (WordMatchStringZ(L"IsElevated") && processNode->ProcessItem->IsElevated)
{
return TRUE;
}
if (WordMatchStringZ(L"IsInJob") && processNode->ProcessItem->IsInJob)
{
return TRUE;
}
if (WordMatchStringZ(L"IsInSignificantJob") && processNode->ProcessItem->IsInSignificantJob)
{
return TRUE;
}
if (WordMatchStringZ(L"IsPacked") && processNode->ProcessItem->IsPacked)
{
return TRUE;
}
if (WordMatchStringZ(L"IsSuspended") && processNode->ProcessItem->IsSuspended)
{
return TRUE;
}
if (WordMatchStringZ(L"IsWow64") && processNode->ProcessItem->IsWow64)
{
return TRUE;
}
if (WordMatchStringZ(L"IsImmersive") && processNode->ProcessItem->IsImmersive)
{
return TRUE;
}
if (WordMatchStringZ(L"IsProtectedProcess") && processNode->ProcessItem->IsProtectedProcess)
{
return TRUE;
}
if (WordMatchStringZ(L"IsSecureProcess") && processNode->ProcessItem->IsSecureProcess)
{
return TRUE;
}
if (WordMatchStringZ(L"IsPicoProcess") && processNode->ProcessItem->IsSubsystemProcess)
{
return TRUE;
}
if (processNode->ProcessItem->ServiceList && processNode->ProcessItem->ServiceList->Count)
{
ULONG enumerationKey = 0;
PPH_SERVICE_ITEM serviceItem;
PPH_LIST serviceList;
ULONG i;
BOOLEAN matched = FALSE;
// Copy the service list so we can search it.
serviceList = PhCreateList(processNode->ProcessItem->ServiceList->Count);
PhAcquireQueuedLockShared(&processNode->ProcessItem->ServiceListLock);
while (PhEnumPointerList(
processNode->ProcessItem->ServiceList,
&enumerationKey,
&serviceItem
))
{
PhReferenceObject(serviceItem);
PhAddItemList(serviceList, serviceItem);
}
PhReleaseQueuedLockShared(&processNode->ProcessItem->ServiceListLock);
for (i = 0; i < serviceList->Count; i++)
{
PPH_STRING serviceFileName = NULL;
PPH_STRING serviceBinaryPath = NULL;
serviceItem = serviceList->Items[i];
if (!PhIsNullOrEmptyString(serviceItem->Name))
{
if (WordMatchStringRef(&serviceItem->Name->sr))
{
matched = TRUE;
break;
}
}
if (!PhIsNullOrEmptyString(serviceItem->DisplayName))
{
if (WordMatchStringRef(&serviceItem->DisplayName->sr))
{
matched = TRUE;
break;
}
}
if (serviceItem->ProcessId)
{
if (WordMatchStringZ(serviceItem->ProcessIdString))
{
matched = TRUE;
break;
}
}
if (NT_SUCCESS(QueryServiceFileName(
&serviceItem->Name->sr,
&serviceFileName,
&serviceBinaryPath
)))
{
if (serviceFileName)
{
if (WordMatchStringRef(&serviceFileName->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceFileName);
}
if (serviceBinaryPath)
{
if (WordMatchStringRef(&serviceBinaryPath->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceBinaryPath);
}
if (matched)
break;
}
}
PhDereferenceObjects(serviceList->Items, serviceList->Count);
PhDereferenceObject(serviceList);
if (matched)
return TRUE;
}
return FALSE;
}
BOOLEAN ServiceTreeFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
)
{
PPH_SERVICE_NODE serviceNode = (PPH_SERVICE_NODE)Node;
PPH_STRING serviceFileName = NULL;
PPH_STRING serviceBinaryPath = NULL;
if (PhIsNullOrEmptyString(SearchboxText))
return TRUE;
if (WordMatchStringZ(PhGetServiceTypeString(serviceNode->ServiceItem->Type)))
return TRUE;
if (WordMatchStringZ(PhGetServiceStateString(serviceNode->ServiceItem->State)))
return TRUE;
if (WordMatchStringZ(PhGetServiceStartTypeString(serviceNode->ServiceItem->StartType)))
return TRUE;
if (WordMatchStringZ(PhGetServiceErrorControlString(serviceNode->ServiceItem->ErrorControl)))
return TRUE;
if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->Name))
{
if (WordMatchStringRef(&serviceNode->ServiceItem->Name->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->DisplayName))
{
if (WordMatchStringRef(&serviceNode->ServiceItem->DisplayName->sr))
return TRUE;
}
if (serviceNode->ServiceItem->ProcessId)
{
PPH_PROCESS_NODE processNode;
WCHAR processIdString[PH_INT32_STR_LEN_1];
PhPrintUInt32(processIdString, HandleToUlong(serviceNode->ServiceItem->ProcessId));
if (WordMatchStringZ(processIdString))
return TRUE;
// Search the process node
if (processNode = PhFindProcessNode(serviceNode->ServiceItem->ProcessId))
{
if (ProcessTreeFilterCallback(&processNode->Node, NULL))
return TRUE;
}
}
if (NT_SUCCESS(QueryServiceFileName(
&serviceNode->ServiceItem->Name->sr,
&serviceFileName,
&serviceBinaryPath
)))
{
BOOLEAN matched = FALSE;
if (serviceFileName)
{
if (WordMatchStringRef(&serviceFileName->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceFileName);
}
if (serviceBinaryPath)
{
if (WordMatchStringRef(&serviceBinaryPath->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceBinaryPath);
}
if (matched)
return TRUE;
}
return FALSE;
}
