VOID EtInitializeDiskInformation(
VOID
)
{
LARGE_INTEGER performanceCounter;
EtDiskItemType = PhCreateObjectType(L"DiskItem", 0, EtpDiskItemDeleteProcedure);
EtDiskHashtable = PhCreateHashtable(
sizeof(PET_DISK_ITEM),
EtpDiskHashtableEqualFunction,
EtpDiskHashtableHashFunction,
128
);
InitializeListHead(&EtDiskAgeListHead);
PhInitializeFreeList(&EtDiskPacketFreeList, sizeof(ETP_DISK_PACKET), 64);
RtlInitializeSListHead(&EtDiskPacketListHead);
EtFileNameHashtable = PhCreateSimpleHashtable(128);
NtQueryPerformanceCounter(&performanceCounter, &EtpPerformanceFrequency);
EtDiskEnabled = TRUE;
// Collect all existing file names.
EtStartEtwRundown();
PhRegisterCallback(
&PhProcessesUpdatedEvent,
ProcessesUpdatedCallback,
NULL,
&ProcessesUpdatedCallbackRegistration
);
}
PPH_MODULE_PROVIDER PhCreateModuleProvider(
__in HANDLE ProcessId
)
{
PPH_MODULE_PROVIDER moduleProvider;
if (!NT_SUCCESS(PhCreateObject(
&moduleProvider,
sizeof(PH_MODULE_PROVIDER),
0,
PhModuleProviderType
)))
return NULL;
moduleProvider->ModuleHashtable = PhCreateHashtable(
sizeof(PPH_MODULE_ITEM),
PhpModuleHashtableCompareFunction,
PhpModuleHashtableHashFunction,
20
);
PhInitializeFastLock(&moduleProvider->ModuleHashtableLock);
PhInitializeCallback(&moduleProvider->ModuleAddedEvent);
PhInitializeCallback(&moduleProvider->ModuleModifiedEvent);
PhInitializeCallback(&moduleProvider->ModuleRemovedEvent);
PhInitializeCallback(&moduleProvider->UpdatedEvent);
moduleProvider->ProcessId = ProcessId;
moduleProvider->ProcessHandle = NULL;
// It doesn't matter if we can't get a process handle.
// Try to get a handle with query information + vm read access.
if (!NT_SUCCESS(PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
ProcessId
)))
{
if (WINDOWS_HAS_LIMITED_ACCESS)
{
// Try to get a handle with query limited information + vm read access.
PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ,
ProcessId
);
}
}
RtlInitializeSListHead(&moduleProvider->QueryListHead);
return moduleProvider;
}
PPH_THREAD_PROVIDER PhCreateThreadProvider(
__in HANDLE ProcessId
)
{
PPH_THREAD_PROVIDER threadProvider;
if (!NT_SUCCESS(PhCreateObject(
&threadProvider,
sizeof(PH_THREAD_PROVIDER),
0,
PhThreadProviderType
)))
return NULL;
threadProvider->ThreadHashtable = PhCreateHashtable(
sizeof(PPH_THREAD_ITEM),
PhpThreadHashtableCompareFunction,
PhpThreadHashtableHashFunction,
20
);
PhInitializeFastLock(&threadProvider->ThreadHashtableLock);
PhInitializeCallback(&threadProvider->ThreadAddedEvent);
PhInitializeCallback(&threadProvider->ThreadModifiedEvent);
PhInitializeCallback(&threadProvider->ThreadRemovedEvent);
PhInitializeCallback(&threadProvider->UpdatedEvent);
PhInitializeCallback(&threadProvider->LoadingStateChangedEvent);
threadProvider->ProcessId = ProcessId;
threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId);
if (threadProvider->SymbolProvider)
{
if (threadProvider->SymbolProvider->IsRealHandle)
threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle;
}
PhInitializeEvent(&threadProvider->SymbolsLoadedEvent);
threadProvider->SymbolsLoading = 0;
RtlInitializeSListHead(&threadProvider->QueryListHead);
threadProvider->RunId = 1;
// Begin loading symbols for the process' modules.
PhReferenceObject(threadProvider);
PhpQueueThreadWorkQueueItem(PhpThreadProviderLoadSymbols, threadProvider);
return threadProvider;
}
PPH_THREAD_PROVIDER PhCreateThreadProvider(
_In_ HANDLE ProcessId
)
{
PPH_THREAD_PROVIDER threadProvider;
threadProvider = PhCreateObject(
PhEmGetObjectSize(EmThreadProviderType, sizeof(PH_THREAD_PROVIDER)),
PhThreadProviderType
);
memset(threadProvider, 0, sizeof(PH_THREAD_PROVIDER));
threadProvider->ThreadHashtable = PhCreateHashtable(
sizeof(PPH_THREAD_ITEM),
PhpThreadHashtableEqualFunction,
PhpThreadHashtableHashFunction,
20
);
PhInitializeFastLock(&threadProvider->ThreadHashtableLock);
PhInitializeCallback(&threadProvider->ThreadAddedEvent);
PhInitializeCallback(&threadProvider->ThreadModifiedEvent);
PhInitializeCallback(&threadProvider->ThreadRemovedEvent);
PhInitializeCallback(&threadProvider->UpdatedEvent);
PhInitializeCallback(&threadProvider->LoadingStateChangedEvent);
threadProvider->ProcessId = ProcessId;
threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId);
if (threadProvider->SymbolProvider)
{
if (threadProvider->SymbolProvider->IsRealHandle)
threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle;
}
RtlInitializeSListHead(&threadProvider->QueryListHead);
PhInitializeQueuedLock(&threadProvider->LoadSymbolsLock);
threadProvider->RunId = 1;
threadProvider->SymbolsLoadedRunId = 0; // Force symbols to be loaded the first time we try to resolve an address
PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectCreate);
return threadProvider;
}
PPH_MODULE_PROVIDER PhCreateModuleProvider(
_In_ HANDLE ProcessId
)
{
NTSTATUS status;
PPH_MODULE_PROVIDER moduleProvider;
moduleProvider = PhCreateObject(
PhEmGetObjectSize(EmModuleProviderType, sizeof(PH_MODULE_PROVIDER)),
PhModuleProviderType
);
moduleProvider->ModuleHashtable = PhCreateHashtable(
sizeof(PPH_MODULE_ITEM),
PhpModuleHashtableEqualFunction,
PhpModuleHashtableHashFunction,
20
);
PhInitializeFastLock(&moduleProvider->ModuleHashtableLock);
PhInitializeCallback(&moduleProvider->ModuleAddedEvent);
PhInitializeCallback(&moduleProvider->ModuleModifiedEvent);
PhInitializeCallback(&moduleProvider->ModuleRemovedEvent);
PhInitializeCallback(&moduleProvider->UpdatedEvent);
moduleProvider->ProcessId = ProcessId;
moduleProvider->ProcessHandle = NULL;
moduleProvider->PackageFullName = NULL;
moduleProvider->RunStatus = STATUS_SUCCESS;
// It doesn't matter if we can't get a process handle.
// Try to get a handle with query information + vm read access.
if (!NT_SUCCESS(status = PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
ProcessId
)))
{
if (WINDOWS_HAS_LIMITED_ACCESS)
{
// Try to get a handle with query limited information + vm read access.
status = PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ,
ProcessId
);
}
moduleProvider->RunStatus = status;
}
if (moduleProvider->ProcessHandle)
moduleProvider->PackageFullName = PhGetProcessPackageFullName(moduleProvider->ProcessHandle);
RtlInitializeSListHead(&moduleProvider->QueryListHead);
PhEmCallObjectOperation(EmModuleProviderType, moduleProvider, EmObjectCreate);
return moduleProvider;
}
NTSTATUS
InitializeUserModePnpManager(
IN HINF* phSetupInf)
{
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING EnumU = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum");
UNICODE_STRING ServicesU = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services");
Status = NtCreateEvent(&hDeviceInstallListNotEmpty,
EVENT_ALL_ACCESS,
NULL,
SynchronizationEvent,
FALSE);
if (!NT_SUCCESS(Status))
{
DPRINT1("Could not create the event! (Status 0x%08lx)\n", Status);
goto Failure;
}
Status = NtCreateEvent(&hNoPendingInstalls,
EVENT_ALL_ACCESS,
NULL,
NotificationEvent,
FALSE);
if (!NT_SUCCESS(Status))
{
DPRINT1("Could not create the event! (Status 0x%08lx)\n", Status);
goto Failure;
}
RtlInitializeSListHead(&DeviceInstallListHead);
InitializeObjectAttributes(&ObjectAttributes, &EnumU, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtOpenKey(&hEnumKey, KEY_QUERY_VALUE, &ObjectAttributes);
if (!NT_SUCCESS(Status))
{
DPRINT1("NtOpenKey('%wZ') failed (Status 0x%08lx)\n", &EnumU, Status);
goto Failure;
}
InitializeObjectAttributes(&ObjectAttributes, &ServicesU, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtCreateKey(&hServicesKey, KEY_ALL_ACCESS, &ObjectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, NULL);
if (!NT_SUCCESS(Status))
{
DPRINT1("NtCreateKey('%wZ') failed (Status 0x%08lx)\n", &ServicesU, Status);
goto Failure;
}
/* Create the PnP event thread in suspended state */
Status = RtlCreateUserThread(NtCurrentProcess(),
NULL,
TRUE,
0,
0,
0,
PnpEventThread,
NULL,
&hPnpThread,
NULL);
if (!NT_SUCCESS(Status))
{
DPRINT1("Failed to create the PnP event thread (Status 0x%08lx)\n", Status);
hPnpThread = NULL;
goto Failure;
}
/* Create the device installation thread in suspended state */
Status = RtlCreateUserThread(NtCurrentProcess(),
NULL,
TRUE,
0,
0,
0,
DeviceInstallThread,
phSetupInf,
&hDeviceInstallThread,
NULL);
if (!NT_SUCCESS(Status))
{
DPRINT1("Failed to create the device installation thread (Status 0x%08lx)\n", Status);
hDeviceInstallThread = NULL;
goto Failure;
}
return STATUS_SUCCESS;
Failure:
if (hPnpThread)
{
NtTerminateThread(hPnpThread, STATUS_SUCCESS);
NtClose(hPnpThread);
}
hPnpThread = NULL;
if (hServicesKey)
NtClose(hServicesKey);
hServicesKey = NULL;
if (hEnumKey)
NtClose(hEnumKey);
hEnumKey = NULL;
if (hNoPendingInstalls)
NtClose(hNoPendingInstalls);
hNoPendingInstalls = NULL;
if (hDeviceInstallListNotEmpty)
NtClose(hDeviceInstallListNotEmpty);
hDeviceInstallListNotEmpty = NULL;
return Status;
}
