PPH_SERVICE_ITEM PhCreateServiceItem(
_In_opt_ LPENUM_SERVICE_STATUS_PROCESS Information
)
{
PPH_SERVICE_ITEM serviceItem;
serviceItem = PhCreateObject(
PhEmGetObjectSize(EmServiceItemType, sizeof(PH_SERVICE_ITEM)),
PhServiceItemType
);
memset(serviceItem, 0, sizeof(PH_SERVICE_ITEM));
if (Information)
{
serviceItem->Name = PhCreateString(Information->lpServiceName);
serviceItem->Key = serviceItem->Name->sr;
serviceItem->DisplayName = PhCreateString(Information->lpDisplayName);
serviceItem->Type = Information->ServiceStatusProcess.dwServiceType;
serviceItem->State = Information->ServiceStatusProcess.dwCurrentState;
serviceItem->ControlsAccepted = Information->ServiceStatusProcess.dwControlsAccepted;
serviceItem->Flags = Information->ServiceStatusProcess.dwServiceFlags;
serviceItem->ProcessId = UlongToHandle(Information->ServiceStatusProcess.dwProcessId);
if (serviceItem->ProcessId)
PhPrintUInt32(serviceItem->ProcessIdString, HandleToUlong(serviceItem->ProcessId));
}
PhEmCallObjectOperation(EmServiceItemType, serviceItem, EmObjectCreate);
return serviceItem;
}
static BOOLEAN NTAPI PhpHiddenProcessesCallback(
_In_ PPH_HIDDEN_PROCESS_ENTRY Process,
_In_opt_ PVOID Context
)
{
PPH_HIDDEN_PROCESS_ENTRY entry;
INT lvItemIndex;
WCHAR pidString[PH_INT32_STR_LEN_1];
entry = PhAllocateCopy(Process, sizeof(PH_HIDDEN_PROCESS_ENTRY));
if (entry->FileName)
PhReferenceObject(entry->FileName);
PhAddItemList(ProcessesList, entry);
lvItemIndex = PhAddListViewItem(PhHiddenProcessesListViewHandle, MAXINT,
PhGetStringOrDefault(entry->FileName, L"(unknown)"), entry);
PhPrintUInt32(pidString, HandleToUlong(entry->ProcessId));
PhSetListViewSubItem(PhHiddenProcessesListViewHandle, lvItemIndex, 1, pidString);
if (entry->Type == HiddenProcess)
NumberOfHiddenProcesses++;
else if (entry->Type == TerminatedProcess)
NumberOfTerminatedProcesses++;
return TRUE;
}
static NTSTATUS PhpRefreshThreadStack(
_In_ HWND hwnd,
_In_ PTHREAD_STACK_CONTEXT ThreadStackContext
)
{
ULONG i;
ThreadStackContext->StopWalk = FALSE;
PhSwapReference2(&ThreadStackContext->StatusMessage, PhCreateString(L"Loading stack..."));
DialogBoxParam(
PhInstanceHandle,
MAKEINTRESOURCE(IDD_PROGRESS),
hwnd,
PhpThreadStackProgressDlgProc,
(LPARAM)ThreadStackContext
);
if (!ThreadStackContext->StopWalk && NT_SUCCESS(ThreadStackContext->WalkStatus))
{
for (i = 0; i < ThreadStackContext->List->Count; i++)
PhpFreeThreadStackItem(ThreadStackContext->List->Items[i]);
PhDereferenceObject(ThreadStackContext->List);
ThreadStackContext->List = ThreadStackContext->NewList;
ThreadStackContext->NewList = PhCreateList(10);
ListView_DeleteAllItems(ThreadStackContext->ListViewHandle);
SendMessage(ThreadStackContext->ListViewHandle, WM_SETREDRAW, FALSE, 0);
for (i = 0; i < ThreadStackContext->List->Count; i++)
{
PTHREAD_STACK_ITEM item = ThreadStackContext->List->Items[i];
INT lvItemIndex;
WCHAR integerString[PH_INT32_STR_LEN_1];
PhPrintUInt32(integerString, item->Index);
lvItemIndex = PhAddListViewItem(ThreadStackContext->ListViewHandle, MAXINT, integerString, item);
PhSetListViewSubItem(ThreadStackContext->ListViewHandle, lvItemIndex, 1, PhGetStringOrDefault(item->Symbol, L"???"));
}
SendMessage(ThreadStackContext->ListViewHandle, WM_SETREDRAW, TRUE, 0);
InvalidateRect(ThreadStackContext->ListViewHandle, NULL, FALSE);
}
else
{
for (i = 0; i < ThreadStackContext->NewList->Count; i++)
PhpFreeThreadStackItem(ThreadStackContext->NewList->Items[i]);
PhClearList(ThreadStackContext->NewList);
}
if (ThreadStackContext->StopWalk)
return STATUS_ABANDONED;
return ThreadStackContext->WalkStatus;
}
PPH_THREAD_ITEM PhCreateThreadItem(
_In_ HANDLE ThreadId
)
{
PPH_THREAD_ITEM threadItem;
threadItem = PhCreateObject(
PhEmGetObjectSize(EmThreadItemType, sizeof(PH_THREAD_ITEM)),
PhThreadItemType
);
memset(threadItem, 0, sizeof(PH_THREAD_ITEM));
threadItem->ThreadId = ThreadId;
PhPrintUInt32(threadItem->ThreadIdString, HandleToUlong(ThreadId));
PhEmCallObjectOperation(EmThreadItemType, threadItem, EmObjectCreate);
return threadItem;
}
PPH_THREAD_ITEM PhCreateThreadItem(
__in HANDLE ThreadId
)
{
PPH_THREAD_ITEM threadItem;
if (!NT_SUCCESS(PhCreateObject(
&threadItem,
PhEmGetObjectSize(EmThreadItemType, sizeof(PH_THREAD_ITEM)),
0,
PhThreadItemType
)))
return NULL;
memset(threadItem, 0, sizeof(PH_THREAD_ITEM));
threadItem->ThreadId = ThreadId;
PhPrintUInt32(threadItem->ThreadIdString, (ULONG)ThreadId);
PhEmCallObjectOperation(EmThreadItemType, threadItem, EmObjectCreate);
return threadItem;
}
BOOLEAN NetworkTreeFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
)
{
PPH_NETWORK_NODE networkNode = (PPH_NETWORK_NODE)Node;
if (PhIsNullOrEmptyString(SearchboxText))
return TRUE;
if (!PhIsNullOrEmptyString(networkNode->NetworkItem->ProcessName))
{
if (WordMatchStringRef(&networkNode->NetworkItem->ProcessName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(networkNode->NetworkItem->OwnerName))
{
if (WordMatchStringRef(&networkNode->NetworkItem->OwnerName->sr))
return TRUE;
}
if (networkNode->NetworkItem->LocalAddressString[0])
{
if (WordMatchStringZ(networkNode->NetworkItem->LocalAddressString))
return TRUE;
}
if (networkNode->NetworkItem->LocalPortString[0])
{
if (WordMatchStringZ(networkNode->NetworkItem->LocalPortString))
return TRUE;
}
if (!PhIsNullOrEmptyString(networkNode->NetworkItem->LocalHostString))
{
if (WordMatchStringRef(&networkNode->NetworkItem->LocalHostString->sr))
return TRUE;
}
if (networkNode->NetworkItem->RemoteAddressString[0])
{
if (WordMatchStringZ(networkNode->NetworkItem->RemoteAddressString))
return TRUE;
}
if (networkNode->NetworkItem->RemotePortString[0])
{
if (WordMatchStringZ(networkNode->NetworkItem->RemotePortString))
return TRUE;
}
if (!PhIsNullOrEmptyString(networkNode->NetworkItem->RemoteHostString))
{
if (WordMatchStringRef(&networkNode->NetworkItem->RemoteHostString->sr))
return TRUE;
}
if (WordMatchStringZ(PhGetProtocolTypeName(networkNode->NetworkItem->ProtocolType)))
return TRUE;
if ((networkNode->NetworkItem->ProtocolType & PH_TCP_PROTOCOL_TYPE) &&
WordMatchStringZ(PhGetTcpStateName(networkNode->NetworkItem->State)))
return TRUE;
if (networkNode->NetworkItem->ProcessId)
{
PPH_PROCESS_NODE processNode;
WCHAR processIdString[PH_INT32_STR_LEN_1];
PhPrintUInt32(processIdString, HandleToUlong(networkNode->NetworkItem->ProcessId));
if (WordMatchStringZ(processIdString))
return TRUE;
// Search the process node
if (processNode = PhFindProcessNode(networkNode->NetworkItem->ProcessId))
{
if (ProcessTreeFilterCallback(&processNode->Node, NULL))
return TRUE;
}
}
return FALSE;
}
static VOID PhpRefreshProcessList(
_In_ HWND hwndDlg,
_In_ PCHOOSE_PROCESS_DIALOG_CONTEXT Context
)
{
NTSTATUS status;
HWND lvHandle;
PVOID processes;
PSYSTEM_PROCESS_INFORMATION process;
lvHandle = Context->ListViewHandle;
ListView_DeleteAllItems(lvHandle);
ImageList_RemoveAll(Context->ImageList);
if (!NT_SUCCESS(status = PhEnumProcesses(&processes)))
{
PhShowStatus(hwndDlg, L"Unable to enumerate processes", status, 0);
return;
}
ExtendedListView_SetRedraw(lvHandle, FALSE);
process = PH_FIRST_PROCESS(processes);
do
{
INT lvItemIndex;
PPH_STRING name;
HANDLE processHandle;
PPH_STRING fileName = NULL;
HICON icon = NULL;
WCHAR processIdString[PH_INT32_STR_LEN_1];
PPH_STRING userName = NULL;
INT imageIndex;
if (process->UniqueProcessId != SYSTEM_IDLE_PROCESS_ID)
name = PhCreateStringFromUnicodeString(&process->ImageName);
else
name = PhCreateString(SYSTEM_IDLE_PROCESS_NAME);
lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, name->Buffer, process->UniqueProcessId);
PhDereferenceObject(name);
if (NT_SUCCESS(PhOpenProcess(&processHandle, ProcessQueryAccess, process->UniqueProcessId)))
{
HANDLE tokenHandle;
PTOKEN_USER user;
if (!WINDOWS_HAS_IMAGE_FILE_NAME_BY_PROCESS_ID && process->UniqueProcessId != SYSTEM_PROCESS_ID)
PhGetProcessImageFileName(processHandle, &fileName);
if (NT_SUCCESS(PhOpenProcessToken(&tokenHandle, TOKEN_QUERY, processHandle)))
{
if (NT_SUCCESS(PhGetTokenUser(tokenHandle, &user)))
{
userName = PhGetSidFullName(user->User.Sid, TRUE, NULL);
PhFree(user);
}
NtClose(tokenHandle);
}
NtClose(processHandle);
}
if (process->UniqueProcessId == SYSTEM_IDLE_PROCESS_ID && !userName && PhLocalSystemName)
PhSetReference(&userName, PhLocalSystemName);
if (WINDOWS_HAS_IMAGE_FILE_NAME_BY_PROCESS_ID && process->UniqueProcessId != SYSTEM_PROCESS_ID)
PhGetProcessImageFileNameByProcessId(process->UniqueProcessId, &fileName);
if (process->UniqueProcessId == SYSTEM_PROCESS_ID)
fileName = PhGetKernelFileName();
if (fileName)
PhMoveReference(&fileName, PhGetFileName(fileName));
icon = PhGetFileShellIcon(PhGetString(fileName), L".exe", FALSE);
// Icon
if (icon)
{
imageIndex = ImageList_AddIcon(Context->ImageList, icon);
PhSetListViewItemImageIndex(Context->ListViewHandle, lvItemIndex, imageIndex);
DestroyIcon(icon);
}
// PID
PhPrintUInt32(processIdString, HandleToUlong(process->UniqueProcessId));
PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, processIdString);
// User Name
PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, PhGetString(userName));
if (userName) PhDereferenceObject(userName);
if (fileName) PhDereferenceObject(fileName);
} while (process = PH_NEXT_PROCESS(process));
PhFree(processes);
ExtendedListView_SortItems(lvHandle);
ExtendedListView_SetRedraw(lvHandle, TRUE);
}
INT_PTR CALLBACK PvpPeResourcesDlgProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
LPPROPSHEETPAGE propSheetPage;
PPV_PROPPAGECONTEXT propPageContext;
if (!PvPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext))
return FALSE;
switch (uMsg)
{
case WM_INITDIALOG:
{
HWND lvHandle;
PH_MAPPED_IMAGE_RESOURCES resources;
PH_IMAGE_RESOURCE_ENTRY entry;
ULONG count = 0;
ULONG i;
INT lvItemIndex;
lvHandle = GetDlgItem(hwndDlg, IDC_LIST);
PhSetListViewStyle(lvHandle, TRUE, TRUE);
PhSetControlTheme(lvHandle, L"explorer");
PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 40, L"#");
PhAddListViewColumn(lvHandle, 1, 1, 1, LVCFMT_LEFT, 150, L"Type");
PhAddListViewColumn(lvHandle, 2, 2, 2, LVCFMT_LEFT, 80, L"Name");
PhAddListViewColumn(lvHandle, 3, 3, 3, LVCFMT_LEFT, 100, L"Size");
PhAddListViewColumn(lvHandle, 4, 4, 4, LVCFMT_LEFT, 100, L"Language");
PhSetExtendedListView(lvHandle);
PhLoadListViewColumnsFromSetting(L"ImageResourcesListViewColumns", lvHandle);
if (NT_SUCCESS(PhGetMappedImageResources(&resources, &PvMappedImage)))
{
for (i = 0; i < resources.NumberOfEntries; i++)
{
PVOID string;
WCHAR number[PH_INT32_STR_LEN_1];
entry = resources.ResourceEntries[i];
PhPrintUInt64(number, ++count);
lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, number, NULL);
if (IS_INTRESOURCE(entry.Type))
{
PhSetListViewSubItem(lvHandle, lvItemIndex, PVE_RESOURCES_COLUMN_INDEX_TYPE, PvpGetResourceTypeString(entry.Type));
}
else
{
PIMAGE_RESOURCE_DIR_STRING_U resourceString = (PIMAGE_RESOURCE_DIR_STRING_U)entry.Type;
string = PhAllocateCopy(resourceString->NameString, resourceString->Length * sizeof(WCHAR));
PhSetListViewSubItem(lvHandle, lvItemIndex, PVE_RESOURCES_COLUMN_INDEX_TYPE, string);
PhFree(string);
}
if (IS_INTRESOURCE(entry.Name))
{
PhPrintUInt32(number, (ULONG)entry.Name);
PhSetListViewSubItem(lvHandle, lvItemIndex, PVE_RESOURCES_COLUMN_INDEX_NAME, number);
}
else
{
PIMAGE_RESOURCE_DIR_STRING_U resourceString = (PIMAGE_RESOURCE_DIR_STRING_U)entry.Name;
string = PhAllocateCopy(resourceString->NameString, resourceString->Length * sizeof(WCHAR));
PhSetListViewSubItem(lvHandle, lvItemIndex, PVE_RESOURCES_COLUMN_INDEX_NAME, string);
PhFree(string);
}
if (IS_INTRESOURCE(entry.Language))
{
WCHAR name[LOCALE_NAME_MAX_LENGTH];
PhPrintUInt32(number, (ULONG)entry.Language);
if (LCIDToLocaleName((ULONG)entry.Language, name, LOCALE_NAME_MAX_LENGTH, LOCALE_ALLOW_NEUTRAL_NAMES))
PhSetListViewSubItem(lvHandle, lvItemIndex, PVE_RESOURCES_COLUMN_INDEX_LCID, PhaFormatString(L"%s (%s)", number, name)->Buffer);
else
PhSetListViewSubItem(lvHandle, lvItemIndex, PVE_RESOURCES_COLUMN_INDEX_LCID, number);
}
else
{
PIMAGE_RESOURCE_DIR_STRING_U resourceString = (PIMAGE_RESOURCE_DIR_STRING_U)entry.Language;
string = PhAllocateCopy(resourceString->NameString, resourceString->Length * sizeof(WCHAR));
PhSetListViewSubItem(lvHandle, lvItemIndex, PVE_RESOURCES_COLUMN_INDEX_LCID, string);
PhFree(string);
}
PhSetListViewSubItem(lvHandle, lvItemIndex, PVE_RESOURCES_COLUMN_INDEX_SIZE, PhaFormatSize(entry.Size, -1)->Buffer);
}
PhFree(resources.ResourceEntries);
}
ExtendedListView_SortItems(lvHandle);
EnableThemeDialogTexture(hwndDlg, ETDT_ENABLETAB);
}
break;
case WM_DESTROY:
{
PhSaveListViewColumnsToSetting(L"ImageResourcesListViewColumns", GetDlgItem(hwndDlg, IDC_LIST));
}
break;
case WM_SHOWWINDOW:
{
if (!propPageContext->LayoutInitialized)
{
PPH_LAYOUT_ITEM dialogItem;
dialogItem = PvAddPropPageLayoutItem(hwndDlg, hwndDlg,
PH_PROP_PAGE_TAB_CONTROL_PARENT, PH_ANCHOR_ALL);
PvAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_LIST),
dialogItem, PH_ANCHOR_ALL);
PvDoPropPageLayout(hwndDlg);
propPageContext->LayoutInitialized = TRUE;
}
}
break;
case WM_NOTIFY:
{
PvHandleListViewNotifyForCopy(lParam, GetDlgItem(hwndDlg, IDC_LIST));
}
break;
}
return FALSE;
}
INT_PTR CALLBACK PhpMemoryResultsDlgProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
PMEMORY_RESULTS_CONTEXT context;
if (uMsg != WM_INITDIALOG)
{
context = GetProp(hwndDlg, PhMakeContextAtom());
}
else
{
context = (PMEMORY_RESULTS_CONTEXT)lParam;
SetProp(hwndDlg, PhMakeContextAtom(), (HANDLE)context);
}
if (!context)
return FALSE;
switch (uMsg)
{
case WM_INITDIALOG:
{
HWND lvHandle;
PhRegisterDialog(hwndDlg);
{
PPH_PROCESS_ITEM processItem;
if (processItem = PhReferenceProcessItem(context->ProcessId))
{
SetWindowText(hwndDlg, PhaFormatString(L"Results - %s (%u)",
processItem->ProcessName->Buffer, HandleToUlong(processItem->ProcessId))->Buffer);
PhDereferenceObject(processItem);
}
}
lvHandle = GetDlgItem(hwndDlg, IDC_LIST);
PhSetListViewStyle(lvHandle, FALSE, TRUE);
PhSetControlTheme(lvHandle, L"explorer");
PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 120, L"Address");
PhAddListViewColumn(lvHandle, 1, 1, 1, LVCFMT_LEFT, 80, L"Length");
PhAddListViewColumn(lvHandle, 2, 2, 2, LVCFMT_LEFT, 200, L"Result");
PhLoadListViewColumnsFromSetting(L"MemResultsListViewColumns", lvHandle);
PhInitializeLayoutManager(&context->LayoutManager, hwndDlg);
PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_LIST), NULL,
PH_ANCHOR_ALL);
PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL,
PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM);
PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_COPY), NULL,
PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM);
PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_SAVE), NULL,
PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM);
PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_FILTER), NULL,
PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT);
if (MinimumSize.left == -1)
{
RECT rect;
rect.left = 0;
rect.top = 0;
rect.right = 250;
rect.bottom = 180;
MapDialogRect(hwndDlg, &rect);
MinimumSize = rect;
MinimumSize.left = 0;
}
ListView_SetItemCount(lvHandle, context->Results->Count);
SetDlgItemText(hwndDlg, IDC_INTRO, PhaFormatString(L"%s results.",
PhaFormatUInt64(context->Results->Count, TRUE)->Buffer)->Buffer);
{
PH_RECTANGLE windowRectangle;
windowRectangle.Position = PhGetIntegerPairSetting(L"MemResultsPosition");
windowRectangle.Size = PhGetIntegerPairSetting(L"MemResultsSize");
PhAdjustRectangleToWorkingArea(hwndDlg, &windowRectangle);
MoveWindow(hwndDlg, windowRectangle.Left, windowRectangle.Top,
windowRectangle.Width, windowRectangle.Height, FALSE);
// Implement cascading by saving an offsetted rectangle.
windowRectangle.Left += 20;
windowRectangle.Top += 20;
PhSetIntegerPairSetting(L"MemResultsPosition", windowRectangle.Position);
PhSetIntegerPairSetting(L"MemResultsSize", windowRectangle.Size);
}
}
break;
case WM_DESTROY:
{
PhSaveWindowPlacementToSetting(L"MemResultsPosition", L"MemResultsSize", hwndDlg);
PhSaveListViewColumnsToSetting(L"MemResultsListViewColumns", GetDlgItem(hwndDlg, IDC_LIST));
PhDeleteLayoutManager(&context->LayoutManager);
PhUnregisterDialog(hwndDlg);
RemoveProp(hwndDlg, PhMakeContextAtom());
PhDereferenceMemoryResults((PPH_MEMORY_RESULT *)context->Results->Items, context->Results->Count);
PhDereferenceObject(context->Results);
PhFree(context);
}
break;
case WM_COMMAND:
{
switch (LOWORD(wParam))
{
case IDCANCEL:
case IDOK:
DestroyWindow(hwndDlg);
break;
case IDC_COPY:
{
HWND lvHandle;
PPH_STRING string;
ULONG selectedCount;
lvHandle = GetDlgItem(hwndDlg, IDC_LIST);
selectedCount = ListView_GetSelectedCount(lvHandle);
if (selectedCount == 0)
{
// User didn't select anything, so copy all items.
string = PhpGetStringForSelectedResults(lvHandle, context->Results, TRUE);
PhSetStateAllListViewItems(lvHandle, LVIS_SELECTED, LVIS_SELECTED);
}
else
{
string = PhpGetStringForSelectedResults(lvHandle, context->Results, FALSE);
}
PhSetClipboardString(hwndDlg, &string->sr);
PhDereferenceObject(string);
SendMessage(hwndDlg, WM_NEXTDLGCTL, (WPARAM)lvHandle, TRUE);
}
break;
case IDC_SAVE:
{
static PH_FILETYPE_FILTER filters[] =
{
{ L"Text files (*.txt)", L"*.txt" },
{ L"All files (*.*)", L"*.*" }
};
PVOID fileDialog;
fileDialog = PhCreateSaveFileDialog();
PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER));
PhSetFileDialogFileName(fileDialog, L"Search Results.txt");
if (PhShowFileDialog(hwndDlg, fileDialog))
{
NTSTATUS status;
PPH_STRING fileName;
PPH_FILE_STREAM fileStream;
PPH_STRING string;
fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog));
if (NT_SUCCESS(status = PhCreateFileStream(
&fileStream,
fileName->Buffer,
FILE_GENERIC_WRITE,
FILE_SHARE_READ,
FILE_OVERWRITE_IF,
0
)))
{
PhWriteStringAsUtf8FileStream(fileStream, &PhUnicodeByteOrderMark);
PhWritePhTextHeader(fileStream);
string = PhpGetStringForSelectedResults(GetDlgItem(hwndDlg, IDC_LIST), context->Results, TRUE);
PhWriteStringAsUtf8FileStreamEx(fileStream, string->Buffer, string->Length);
PhDereferenceObject(string);
PhDereferenceObject(fileStream);
}
if (!NT_SUCCESS(status))
PhShowStatus(hwndDlg, L"Unable to create the file", status, 0);
}
PhFreeFileDialog(fileDialog);
}
break;
case IDC_FILTER:
{
PPH_EMENU menu;
RECT buttonRect;
POINT point;
PPH_EMENU_ITEM selectedItem;
ULONG filterType = 0;
menu = PhCreateEMenu();
PhLoadResourceEMenuItem(menu, PhInstanceHandle, MAKEINTRESOURCE(IDR_MEMFILTER), 0);
GetClientRect(GetDlgItem(hwndDlg, IDC_FILTER), &buttonRect);
point.x = 0;
point.y = buttonRect.bottom;
ClientToScreen(GetDlgItem(hwndDlg, IDC_FILTER), &point);
selectedItem = PhShowEMenu(menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT,
PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y);
if (selectedItem)
{
switch (selectedItem->Id)
{
case ID_FILTER_CONTAINS:
filterType = FILTER_CONTAINS;
break;
case ID_FILTER_CONTAINS_CASEINSENSITIVE:
filterType = FILTER_CONTAINS_IGNORECASE;
break;
case ID_FILTER_REGEX:
filterType = FILTER_REGEX;
break;
case ID_FILTER_REGEX_CASEINSENSITIVE:
filterType = FILTER_REGEX_IGNORECASE;
break;
}
}
if (filterType != 0)
FilterResults(hwndDlg, context, filterType);
PhDestroyEMenu(menu);
}
break;
}
}
break;
case WM_NOTIFY:
{
LPNMHDR header = (LPNMHDR)lParam;
HWND lvHandle;
lvHandle = GetDlgItem(hwndDlg, IDC_LIST);
PhHandleListViewNotifyForCopy(lParam, lvHandle);
switch (header->code)
{
case LVN_GETDISPINFO:
{
NMLVDISPINFO *dispInfo = (NMLVDISPINFO *)header;
if (dispInfo->item.mask & LVIF_TEXT)
{
PPH_MEMORY_RESULT result = context->Results->Items[dispInfo->item.iItem];
switch (dispInfo->item.iSubItem)
{
case 0:
{
WCHAR addressString[PH_PTR_STR_LEN_1];
PhPrintPointer(addressString, result->Address);
wcsncpy_s(
dispInfo->item.pszText,
dispInfo->item.cchTextMax,
addressString,
_TRUNCATE
);
}
break;
case 1:
{
WCHAR lengthString[PH_INT32_STR_LEN_1];
PhPrintUInt32(lengthString, (ULONG)result->Length);
wcsncpy_s(
dispInfo->item.pszText,
dispInfo->item.cchTextMax,
lengthString,
_TRUNCATE
);
}
break;
case 2:
wcsncpy_s(
dispInfo->item.pszText,
dispInfo->item.cchTextMax,
result->Display.Buffer,
_TRUNCATE
);
break;
}
}
}
break;
case NM_DBLCLK:
{
if (header->hwndFrom == lvHandle)
{
INT index;
if ((index = ListView_GetNextItem(
lvHandle,
-1,
LVNI_SELECTED
)) != -1)
{
NTSTATUS status;
PPH_MEMORY_RESULT result = context->Results->Items[index];
HANDLE processHandle;
MEMORY_BASIC_INFORMATION basicInfo;
PPH_SHOWMEMORYEDITOR showMemoryEditor;
if (NT_SUCCESS(status = PhOpenProcess(
&processHandle,
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
context->ProcessId
)))
{
if (NT_SUCCESS(status = NtQueryVirtualMemory(
processHandle,
result->Address,
MemoryBasicInformation,
&basicInfo,
sizeof(MEMORY_BASIC_INFORMATION),
NULL
)))
{
showMemoryEditor = PhAllocate(sizeof(PH_SHOWMEMORYEDITOR));
memset(showMemoryEditor, 0, sizeof(PH_SHOWMEMORYEDITOR));
showMemoryEditor->ProcessId = context->ProcessId;
showMemoryEditor->BaseAddress = basicInfo.BaseAddress;
showMemoryEditor->RegionSize = basicInfo.RegionSize;
showMemoryEditor->SelectOffset = (ULONG)((ULONG_PTR)result->Address - (ULONG_PTR)basicInfo.BaseAddress);
showMemoryEditor->SelectLength = (ULONG)result->Length;
ProcessHacker_ShowMemoryEditor(PhMainWndHandle, showMemoryEditor);
}
NtClose(processHandle);
}
if (!NT_SUCCESS(status))
PhShowStatus(hwndDlg, L"Unable to edit memory", status, 0);
}
}
}
break;
}
}
break;
case WM_SIZE:
{
PhLayoutManagerLayout(&context->LayoutManager);
}
break;
case WM_SIZING:
{
PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom);
}
break;
}
return FALSE;
}
BOOLEAN NetworkTreeFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
)
{
PPH_NETWORK_NODE networkNode = (PPH_NETWORK_NODE)Node;
PPH_STRING processNameText;
if (PhIsNullOrEmptyString(SearchboxText))
return TRUE;
// TODO: We need export the PPH_NETWORK_NODE->ProcessNameText field to search
// waiting/unknown network connections... For now just replicate the data here.
processNameText = PhpNetworkTreeGetNetworkItemProcessName(networkNode->NetworkItem);
if (!PhIsNullOrEmptyString(processNameText))
{
if (WordMatchStringRef(&processNameText->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(networkNode->NetworkItem->ProcessName))
{
if (WordMatchStringRef(&networkNode->NetworkItem->ProcessName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(networkNode->NetworkItem->OwnerName))
{
if (WordMatchStringRef(&networkNode->NetworkItem->OwnerName->sr))
return TRUE;
}
if (networkNode->NetworkItem->LocalAddressString[0])
{
if (WordMatchStringZ(networkNode->NetworkItem->LocalAddressString))
return TRUE;
}
if (networkNode->NetworkItem->LocalPortString[0])
{
if (WordMatchStringZ(networkNode->NetworkItem->LocalPortString))
return TRUE;
}
if (!PhIsNullOrEmptyString(networkNode->NetworkItem->LocalHostString))
{
if (WordMatchStringRef(&networkNode->NetworkItem->LocalHostString->sr))
return TRUE;
}
if (networkNode->NetworkItem->RemoteAddressString[0])
{
if (WordMatchStringZ(networkNode->NetworkItem->RemoteAddressString))
return TRUE;
}
if (networkNode->NetworkItem->RemotePortString[0])
{
if (WordMatchStringZ(networkNode->NetworkItem->RemotePortString))
return TRUE;
}
if (!PhIsNullOrEmptyString(networkNode->NetworkItem->RemoteHostString))
{
if (WordMatchStringRef(&networkNode->NetworkItem->RemoteHostString->sr))
return TRUE;
}
if (WordMatchStringZ(PhGetProtocolTypeName(networkNode->NetworkItem->ProtocolType)))
return TRUE;
if ((networkNode->NetworkItem->ProtocolType & PH_TCP_PROTOCOL_TYPE) &&
WordMatchStringZ(PhGetTcpStateName(networkNode->NetworkItem->State)))
return TRUE;
if (networkNode->NetworkItem->ProcessId)
{
PPH_PROCESS_NODE processNode;
WCHAR processIdString[PH_INT32_STR_LEN_1];
PhPrintUInt32(processIdString, HandleToUlong(networkNode->NetworkItem->ProcessId));
if (WordMatchStringZ(processIdString))
return TRUE;
// Search the process node
if (processNode = PhFindProcessNode(networkNode->NetworkItem->ProcessId))
{
if (ProcessTreeFilterCallback(&processNode->Node, NULL))
return TRUE;
}
}
return FALSE;
}
INT_PTR CALLBACK PvpLibExportsDlgProc(
__in HWND hwndDlg,
__in UINT uMsg,
__in WPARAM wParam,
__in LPARAM lParam
)
{
switch (uMsg)
{
case WM_INITDIALOG:
{
ULONG fallbackColumns[] = { 0, 1, 2, 3 };
HWND lvHandle;
PH_MAPPED_ARCHIVE_MEMBER member;
PH_MAPPED_ARCHIVE_IMPORT_ENTRY importEntry;
PhCenterWindow(GetParent(hwndDlg), NULL);
lvHandle = GetDlgItem(hwndDlg, IDC_LIST);
PhSetListViewStyle(lvHandle, FALSE, TRUE);
PhSetControlTheme(lvHandle, L"explorer");
PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 60, L"DLL");
PhAddListViewColumn(lvHandle, 1, 1, 1, LVCFMT_LEFT, 200, L"Name");
PhAddListViewColumn(lvHandle, 2, 2, 2, LVCFMT_LEFT, 40, L"Ordinal/Hint");
PhAddListViewColumn(lvHandle, 3, 3, 3, LVCFMT_LEFT, 40, L"Type");
PhAddListViewColumn(lvHandle, 4, 4, 4, LVCFMT_LEFT, 60, L"Name Type");
PhSetExtendedListView(lvHandle);
ExtendedListView_AddFallbackColumns(lvHandle, 4, fallbackColumns);
member = *PvMappedArchive.LastStandardMember;
while (NT_SUCCESS(PhGetNextMappedArchiveMember(&member, &member)))
{
if (NT_SUCCESS(PhGetMappedArchiveImportEntry(&member, &importEntry)))
{
INT lvItemIndex;
PPH_STRING name;
WCHAR number[PH_INT32_STR_LEN_1];
PWSTR type;
name = PhCreateStringFromAnsi(importEntry.DllName);
lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, name->Buffer, NULL);
PhDereferenceObject(name);
name = PhCreateStringFromAnsi(importEntry.Name);
PhSetListViewSubItem(lvHandle, lvItemIndex, 1, name->Buffer);
PhDereferenceObject(name);
// Ordinal is unioned with NameHint, so this works both ways.
PhPrintUInt32(number, importEntry.Ordinal);
PhSetListViewSubItem(lvHandle, lvItemIndex, 2, number);
switch (importEntry.Type)
{
case IMPORT_OBJECT_CODE:
type = L"Code";
break;
case IMPORT_OBJECT_DATA:
type = L"Data";
break;
case IMPORT_OBJECT_CONST:
type = L"Const";
break;
default:
type = L"Unknown";
break;
}
PhSetListViewSubItem(lvHandle, lvItemIndex, 3, type);
switch (importEntry.NameType)
{
case IMPORT_OBJECT_ORDINAL:
type = L"Ordinal";
break;
case IMPORT_OBJECT_NAME:
type = L"Name";
break;
case IMPORT_OBJECT_NAME_NO_PREFIX:
type = L"Name, No Prefix";
break;
case IMPORT_OBJECT_NAME_UNDECORATE:
type = L"Name, Undecorate";
break;
default:
type = L"Unknown";
break;
}
PhSetListViewSubItem(lvHandle, lvItemIndex, 4, type);
}
}
ExtendedListView_SortItems(lvHandle);
}
break;
case WM_NOTIFY:
{
PvHandleListViewNotifyForCopy(lParam, GetDlgItem(hwndDlg, IDC_LIST));
}
break;
}
return FALSE;
}
static PPH_PROCESS_ITEM PhpCreateProcessItemForHiddenProcess(
_In_ PPH_HIDDEN_PROCESS_ENTRY Entry
)
{
NTSTATUS status;
PPH_PROCESS_ITEM processItem;
PPH_PROCESS_ITEM idleProcessItem;
HANDLE processHandle;
PROCESS_BASIC_INFORMATION basicInfo;
KERNEL_USER_TIMES times;
PROCESS_PRIORITY_CLASS priorityClass;
ULONG handleCount;
HANDLE processHandle2;
if (Entry->Type == NormalProcess)
{
processItem = PhReferenceProcessItem(Entry->ProcessId);
if (processItem)
return processItem;
}
processItem = PhCreateProcessItem(Entry->ProcessId);
// Mark the process as terminated if necessary.
if (Entry->Type == TerminatedProcess)
processItem->State |= PH_PROCESS_ITEM_REMOVED;
// We need a process record. Just use the record of System Idle Process.
if (idleProcessItem = PhReferenceProcessItem(SYSTEM_IDLE_PROCESS_ID))
{
processItem->Record = idleProcessItem->Record;
PhReferenceProcessRecord(processItem->Record);
}
else
{
PhDereferenceObject(processItem);
return NULL;
}
// Set up the file name and process name.
PhSwapReference(&processItem->FileName, Entry->FileName);
if (processItem->FileName)
{
processItem->ProcessName = PhGetBaseName(processItem->FileName);
}
else
{
processItem->ProcessName = PhCreateString(L"Unknown");
}
if (ProcessesMethod == BruteForceScanMethod)
{
status = PhOpenProcess(
&processHandle,
ProcessQueryAccess,
Entry->ProcessId
);
}
else
{
status = PhOpenProcessByCsrHandles(
&processHandle,
ProcessQueryAccess,
Entry->ProcessId
);
}
if (NT_SUCCESS(status))
{
// Basic information and not-so-dynamic information
processItem->QueryHandle = processHandle;
if (NT_SUCCESS(PhGetProcessBasicInformation(processHandle, &basicInfo)))
{
processItem->ParentProcessId = basicInfo.InheritedFromUniqueProcessId;
processItem->BasePriority = basicInfo.BasePriority;
}
PhGetProcessSessionId(processHandle, &processItem->SessionId);
PhPrintUInt32(processItem->ParentProcessIdString, HandleToUlong(processItem->ParentProcessId));
PhPrintUInt32(processItem->SessionIdString, processItem->SessionId);
if (NT_SUCCESS(PhGetProcessTimes(processHandle, ×)))
{
processItem->CreateTime = times.CreateTime;
processItem->KernelTime = times.KernelTime;
processItem->UserTime = times.UserTime;
}
// TODO: Token information?
if (NT_SUCCESS(NtQueryInformationProcess(
processHandle,
ProcessPriorityClass,
&priorityClass,
sizeof(PROCESS_PRIORITY_CLASS),
NULL
)))
{
processItem->PriorityClass = priorityClass.PriorityClass;
}
if (NT_SUCCESS(NtQueryInformationProcess(
processHandle,
ProcessHandleCount,
&handleCount,
sizeof(ULONG),
NULL
)))
{
processItem->NumberOfHandles = handleCount;
}
}
// Stage 1
// Some copy and paste magic here...
if (processItem->FileName)
{
// Small icon, large icon.
ExtractIconEx(
processItem->FileName->Buffer,
0,
&processItem->LargeIcon,
&processItem->SmallIcon,
1
);
// Version info.
PhInitializeImageVersionInfo(&processItem->VersionInfo, processItem->FileName->Buffer);
}
// Use the default EXE icon if we didn't get the file's icon.
{
if (!processItem->SmallIcon || !processItem->LargeIcon)
{
if (processItem->SmallIcon)
{
DestroyIcon(processItem->SmallIcon);
processItem->SmallIcon = NULL;
}
else if (processItem->LargeIcon)
{
DestroyIcon(processItem->LargeIcon);
processItem->LargeIcon = NULL;
}
PhGetStockApplicationIcon(&processItem->SmallIcon, &processItem->LargeIcon);
processItem->SmallIcon = DuplicateIcon(NULL, processItem->SmallIcon);
processItem->LargeIcon = DuplicateIcon(NULL, processItem->LargeIcon);
}
}
// POSIX, command line
status = PhOpenProcess(
&processHandle2,
ProcessQueryAccess | PROCESS_VM_READ,
Entry->ProcessId
);
if (NT_SUCCESS(status))
{
BOOLEAN isPosix = FALSE;
PPH_STRING commandLine;
ULONG i;
status = PhGetProcessIsPosix(processHandle2, &isPosix);
processItem->IsPosix = isPosix;
if (!NT_SUCCESS(status) || !isPosix)
{
status = PhGetProcessCommandLine(processHandle2, &commandLine);
if (NT_SUCCESS(status))
{
// Some command lines (e.g. from taskeng.exe) have nulls in them.
// Since Windows can't display them, we'll replace them with
// spaces.
for (i = 0; i < (ULONG)commandLine->Length / 2; i++)
{
if (commandLine->Buffer[i] == 0)
commandLine->Buffer[i] = ' ';
}
}
}
else
{
// Get the POSIX command line.
status = PhGetProcessPosixCommandLine(processHandle2, &commandLine);
}
if (NT_SUCCESS(status))
{
processItem->CommandLine = commandLine;
}
NtClose(processHandle2);
}
// TODO: Other stage 1 tasks.
PhSetEvent(&processItem->Stage1Event);
return processItem;
}
VOID PhServiceProviderUpdate(
_In_ PVOID Object
)
{
static SC_HANDLE scManagerHandle = NULL;
static ULONG runCount = 0;
static PPH_HASH_ENTRY nameHashSet[256];
static PPHP_SERVICE_NAME_ENTRY nameEntries = NULL;
static ULONG nameEntriesCount;
static ULONG nameEntriesAllocated = 0;
LPENUM_SERVICE_STATUS_PROCESS services;
ULONG numberOfServices;
ULONG i;
PPH_HASH_ENTRY hashEntry;
// We always execute the first run, and we only initialize non-polling after the first run.
if (PhEnableServiceNonPoll && runCount != 0)
{
if (!PhpNonPollInitialized)
{
if (WindowsVersion >= WINDOWS_VISTA)
{
PhpInitializeServiceNonPoll();
}
PhpNonPollInitialized = TRUE;
}
if (PhpNonPollActive)
{
if (InterlockedExchange(&PhpNonPollGate, 0) == 0)
{
// Non-poll gate is closed; skip all processing.
goto UpdateEnd;
}
}
}
if (!scManagerHandle)
{
scManagerHandle = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE);
if (!scManagerHandle)
return;
}
services = PhEnumServices(scManagerHandle, 0, 0, &numberOfServices);
if (!services)
return;
// Build a hash set containing the service names.
// This has caused a massive decrease in background CPU usage, and
// is certainly much better than the quadratic-time string comparisons
// we were doing before (in the "Look for dead services" section).
nameEntriesCount = 0;
if (nameEntriesAllocated < numberOfServices)
{
nameEntriesAllocated = numberOfServices + 32;
if (nameEntries) PhFree(nameEntries);
nameEntries = PhAllocate(sizeof(PHP_SERVICE_NAME_ENTRY) * nameEntriesAllocated);
}
PhInitializeHashSet(nameHashSet, PH_HASH_SET_SIZE(nameHashSet));
for (i = 0; i < numberOfServices; i++)
{
PPHP_SERVICE_NAME_ENTRY entry;
entry = &nameEntries[nameEntriesCount++];
PhInitializeStringRefLongHint(&entry->Name, services[i].lpServiceName);
entry->ServiceEntry = &services[i];
PhAddEntryHashSet(
nameHashSet,
PH_HASH_SET_SIZE(nameHashSet),
&entry->HashEntry,
PhpHashServiceNameEntry(entry)
);
}
// Look for dead services.
{
PPH_LIST servicesToRemove = NULL;
PH_HASHTABLE_ENUM_CONTEXT enumContext;
PPH_SERVICE_ITEM *serviceItem;
PhBeginEnumHashtable(PhServiceHashtable, &enumContext);
while (serviceItem = PhNextEnumHashtable(&enumContext))
{
BOOLEAN found = FALSE;
PHP_SERVICE_NAME_ENTRY lookupNameEntry;
// Check if the service still exists.
lookupNameEntry.Name = (*serviceItem)->Name->sr;
hashEntry = PhFindEntryHashSet(
nameHashSet,
PH_HASH_SET_SIZE(nameHashSet),
PhpHashServiceNameEntry(&lookupNameEntry)
);
for (; hashEntry; hashEntry = hashEntry->Next)
{
PPHP_SERVICE_NAME_ENTRY nameEntry;
nameEntry = CONTAINING_RECORD(hashEntry, PHP_SERVICE_NAME_ENTRY, HashEntry);
if (PhpCompareServiceNameEntry(&lookupNameEntry, nameEntry))
{
found = TRUE;
break;
}
}
if (!found)
{
// Remove the service from its process.
if ((*serviceItem)->ProcessId)
{
PPH_PROCESS_ITEM processItem;
processItem = PhReferenceProcessItem((HANDLE)(*serviceItem)->ProcessId);
if (processItem)
{
PhpRemoveProcessItemService(processItem, *serviceItem);
PhDereferenceObject(processItem);
}
}
// Raise the service removed event.
PhInvokeCallback(&PhServiceRemovedEvent, *serviceItem);
if (!servicesToRemove)
servicesToRemove = PhCreateList(2);
PhAddItemList(servicesToRemove, *serviceItem);
}
}
if (servicesToRemove)
{
PhAcquireQueuedLockExclusive(&PhServiceHashtableLock);
for (i = 0; i < servicesToRemove->Count; i++)
{
PhpRemoveServiceItem((PPH_SERVICE_ITEM)servicesToRemove->Items[i]);
}
PhReleaseQueuedLockExclusive(&PhServiceHashtableLock);
PhDereferenceObject(servicesToRemove);
}
}
// Look for new services and update existing ones.
for (i = 0; i < PH_HASH_SET_SIZE(nameHashSet); i++)
{
for (hashEntry = nameHashSet[i]; hashEntry; hashEntry = hashEntry->Next)
{
PPH_SERVICE_ITEM serviceItem;
PPHP_SERVICE_NAME_ENTRY nameEntry;
ENUM_SERVICE_STATUS_PROCESS *serviceEntry;
nameEntry = CONTAINING_RECORD(hashEntry, PHP_SERVICE_NAME_ENTRY, HashEntry);
serviceEntry = nameEntry->ServiceEntry;
serviceItem = PhpLookupServiceItem(&nameEntry->Name);
if (!serviceItem)
{
// Create the service item and fill in basic information.
serviceItem = PhCreateServiceItem(serviceEntry);
PhpUpdateServiceItemConfig(scManagerHandle, serviceItem);
// Add the service to its process, if appropriate.
if (
(
serviceItem->State == SERVICE_RUNNING ||
serviceItem->State == SERVICE_PAUSED
) &&
serviceItem->ProcessId
)
{
PPH_PROCESS_ITEM processItem;
if (processItem = PhReferenceProcessItem(serviceItem->ProcessId))
{
PhpAddProcessItemService(processItem, serviceItem);
PhDereferenceObject(processItem);
}
else
{
// The process doesn't exist yet (to us). Set the pending
// flag and when the process is added this will be
// fixed.
serviceItem->PendingProcess = TRUE;
}
}
// Add the service item to the hashtable.
PhAcquireQueuedLockExclusive(&PhServiceHashtableLock);
PhAddEntryHashtable(PhServiceHashtable, &serviceItem);
PhReleaseQueuedLockExclusive(&PhServiceHashtableLock);
// Raise the service added event.
PhInvokeCallback(&PhServiceAddedEvent, serviceItem);
}
else
{
if (
serviceItem->Type != serviceEntry->ServiceStatusProcess.dwServiceType ||
serviceItem->State != serviceEntry->ServiceStatusProcess.dwCurrentState ||
serviceItem->ControlsAccepted != serviceEntry->ServiceStatusProcess.dwControlsAccepted ||
serviceItem->ProcessId != UlongToHandle(serviceEntry->ServiceStatusProcess.dwProcessId) ||
serviceItem->NeedsConfigUpdate
)
{
PH_SERVICE_MODIFIED_DATA serviceModifiedData;
PH_SERVICE_CHANGE serviceChange;
// The service has been "modified".
serviceModifiedData.Service = serviceItem;
memset(&serviceModifiedData.OldService, 0, sizeof(PH_SERVICE_ITEM));
serviceModifiedData.OldService.Type = serviceItem->Type;
serviceModifiedData.OldService.State = serviceItem->State;
serviceModifiedData.OldService.ControlsAccepted = serviceItem->ControlsAccepted;
serviceModifiedData.OldService.ProcessId = serviceItem->ProcessId;
// Update the service item.
serviceItem->Type = serviceEntry->ServiceStatusProcess.dwServiceType;
serviceItem->State = serviceEntry->ServiceStatusProcess.dwCurrentState;
serviceItem->ControlsAccepted = serviceEntry->ServiceStatusProcess.dwControlsAccepted;
serviceItem->ProcessId = UlongToHandle(serviceEntry->ServiceStatusProcess.dwProcessId);
if (serviceItem->ProcessId)
PhPrintUInt32(serviceItem->ProcessIdString, HandleToUlong(serviceItem->ProcessId));
else
serviceItem->ProcessIdString[0] = 0;
// Add/remove the service from its process.
serviceChange = PhGetServiceChange(&serviceModifiedData);
if (
(serviceChange == ServiceStarted && serviceItem->ProcessId) ||
(serviceChange == ServiceStopped && serviceModifiedData.OldService.ProcessId)
)
{
PPH_PROCESS_ITEM processItem;
if (serviceChange == ServiceStarted)
processItem = PhReferenceProcessItem(serviceItem->ProcessId);
else
processItem = PhReferenceProcessItem(serviceModifiedData.OldService.ProcessId);
if (processItem)
{
if (serviceChange == ServiceStarted)
PhpAddProcessItemService(processItem, serviceItem);
else
PhpRemoveProcessItemService(processItem, serviceItem);
PhDereferenceObject(processItem);
}
else
{
if (serviceChange == ServiceStarted)
serviceItem->PendingProcess = TRUE;
else
serviceItem->PendingProcess = FALSE;
}
}
else if (
serviceItem->State == SERVICE_RUNNING &&
serviceItem->ProcessId != serviceModifiedData.OldService.ProcessId &&
serviceItem->ProcessId
)
{
PPH_PROCESS_ITEM processItem;
// The service stopped and started, and the only change we have detected
// is in the process ID.
if (processItem = PhReferenceProcessItem(serviceModifiedData.OldService.ProcessId))
{
PhpRemoveProcessItemService(processItem, serviceItem);
PhDereferenceObject(processItem);
}
if (processItem = PhReferenceProcessItem(serviceItem->ProcessId))
{
PhpAddProcessItemService(processItem, serviceItem);
PhDereferenceObject(processItem);
}
else
{
serviceItem->PendingProcess = TRUE;
}
}
// Do a config update if necessary.
if (serviceItem->NeedsConfigUpdate)
{
PhpUpdateServiceItemConfig(scManagerHandle, serviceItem);
serviceItem->NeedsConfigUpdate = FALSE;
}
// Raise the service modified event.
PhInvokeCallback(&PhServiceModifiedEvent, &serviceModifiedData);
}
}
}
}
PhFree(services);
UpdateEnd:
PhInvokeCallback(&PhServicesUpdatedEvent, NULL);
runCount++;
}
BOOLEAN ServiceTreeFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
)
{
PPH_SERVICE_NODE serviceNode = (PPH_SERVICE_NODE)Node;
PPH_STRING serviceFileName = NULL;
PPH_STRING serviceBinaryPath = NULL;
if (PhIsNullOrEmptyString(SearchboxText))
return TRUE;
if (WordMatchStringZ(PhGetServiceTypeString(serviceNode->ServiceItem->Type)))
return TRUE;
if (WordMatchStringZ(PhGetServiceStateString(serviceNode->ServiceItem->State)))
return TRUE;
if (WordMatchStringZ(PhGetServiceStartTypeString(serviceNode->ServiceItem->StartType)))
return TRUE;
if (WordMatchStringZ(PhGetServiceErrorControlString(serviceNode->ServiceItem->ErrorControl)))
return TRUE;
if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->Name))
{
if (WordMatchStringRef(&serviceNode->ServiceItem->Name->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(serviceNode->ServiceItem->DisplayName))
{
if (WordMatchStringRef(&serviceNode->ServiceItem->DisplayName->sr))
return TRUE;
}
if (serviceNode->ServiceItem->ProcessId)
{
PPH_PROCESS_NODE processNode;
WCHAR processIdString[PH_INT32_STR_LEN_1];
PhPrintUInt32(processIdString, HandleToUlong(serviceNode->ServiceItem->ProcessId));
if (WordMatchStringZ(processIdString))
return TRUE;
// Search the process node
if (processNode = PhFindProcessNode(serviceNode->ServiceItem->ProcessId))
{
if (ProcessTreeFilterCallback(&processNode->Node, NULL))
return TRUE;
}
}
if (NT_SUCCESS(QueryServiceFileName(
&serviceNode->ServiceItem->Name->sr,
&serviceFileName,
&serviceBinaryPath
)))
{
BOOLEAN matched = FALSE;
if (serviceFileName)
{
if (WordMatchStringRef(&serviceFileName->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceFileName);
}
if (serviceBinaryPath)
{
if (WordMatchStringRef(&serviceBinaryPath->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceBinaryPath);
}
if (matched)
return TRUE;
}
return FALSE;
}
static BOOLEAN EtpUpdateWsWatch(
_In_ HWND hwndDlg,
_In_ PWS_WATCH_CONTEXT Context
)
{
NTSTATUS status;
BOOLEAN result;
ULONG returnLength;
PPROCESS_WS_WATCH_INFORMATION_EX wsWatchInfo;
// Query WS watch information.
if (!Context->Buffer)
return FALSE;
status = NtQueryInformationProcess(
Context->ProcessHandle,
ProcessWorkingSetWatchEx,
Context->Buffer,
Context->BufferSize,
&returnLength
);
if (status == STATUS_UNSUCCESSFUL)
{
// WS Watch is not enabled.
return FALSE;
}
if (status == STATUS_NO_MORE_ENTRIES)
{
// There were no new faults, but we still need to process symbol lookup results.
result = TRUE;
goto SkipBuffer;
}
if (status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH)
{
PhFree(Context->Buffer);
Context->Buffer = PhAllocate(returnLength);
Context->BufferSize = returnLength;
status = NtQueryInformationProcess(
Context->ProcessHandle,
ProcessWorkingSetWatchEx,
Context->Buffer,
Context->BufferSize,
&returnLength
);
}
if (!NT_SUCCESS(status))
{
// Error related to the buffer size. Try again later.
result = FALSE;
goto SkipBuffer;
}
// Update the hashtable and list view.
ExtendedListView_SetRedraw(Context->ListViewHandle, FALSE);
wsWatchInfo = Context->Buffer;
while (wsWatchInfo->BasicInfo.FaultingPc)
{
PPVOID entry;
WCHAR buffer[PH_INT32_STR_LEN_1];
INT lvItemIndex;
ULONG newCount;
// Update the count in the entry for this instruction pointer, or add a new entry if it doesn't exist.
entry = PhFindItemSimpleHashtable(Context->Hashtable, wsWatchInfo->BasicInfo.FaultingPc);
if (entry)
{
newCount = PtrToUlong(*entry) + 1;
*entry = UlongToPtr(newCount);
lvItemIndex = PhFindListViewItemByParam(Context->ListViewHandle, -1, wsWatchInfo->BasicInfo.FaultingPc);
}
else
{
PPH_STRING basicSymbol;
newCount = 1;
PhAddItemSimpleHashtable(Context->Hashtable, wsWatchInfo->BasicInfo.FaultingPc, UlongToPtr(1));
// Get a basic symbol name (module+offset).
basicSymbol = EtpGetBasicSymbol(Context->SymbolProvider, (ULONG64)wsWatchInfo->BasicInfo.FaultingPc);
lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, basicSymbol->Buffer, wsWatchInfo->BasicInfo.FaultingPc);
PhDereferenceObject(basicSymbol);
// Queue a full symbol lookup.
EtpQueueSymbolLookup(Context, wsWatchInfo->BasicInfo.FaultingPc);
}
// Update the count in the list view item.
PhPrintUInt32(buffer, newCount);
PhSetListViewSubItem(
Context->ListViewHandle,
lvItemIndex,
1,
buffer
);
wsWatchInfo++;
}
ExtendedListView_SetRedraw(Context->ListViewHandle, TRUE);
result = TRUE;
SkipBuffer:
EtpProcessSymbolLookupResults(hwndDlg, Context);
ExtendedListView_SortItems(Context->ListViewHandle);
return result;
}
BOOLEAN EtpRefreshUnloadedDlls(
__in HWND hwndDlg,
__in PUNLOADED_DLLS_CONTEXT Context
)
{
NTSTATUS status;
PULONG elementSize;
PULONG elementCount;
PVOID eventTrace;
HANDLE processHandle = NULL;
ULONG eventTraceSize;
ULONG capturedElementSize;
ULONG capturedElementCount;
PVOID capturedEventTracePointer;
PVOID capturedEventTrace = NULL;
ULONG i;
PVOID currentEvent;
HWND lvHandle;
lvHandle = GetDlgItem(hwndDlg, IDC_LIST);
ListView_DeleteAllItems(lvHandle);
RtlGetUnloadEventTraceEx(&elementSize, &elementCount, &eventTrace);
if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_VM_READ, Context->ProcessItem->ProcessId)))
goto CleanupExit;
// We have the pointers for the unload event trace information.
// Since ntdll is loaded at the same base address across all processes,
// we can read the information in.
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
elementSize,
&capturedElementSize,
sizeof(ULONG),
NULL
)))
goto CleanupExit;
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
elementCount,
&capturedElementCount,
sizeof(ULONG),
NULL
)))
goto CleanupExit;
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
eventTrace,
&capturedEventTracePointer,
sizeof(PVOID),
NULL
)))
goto CleanupExit;
if (!capturedEventTracePointer)
goto CleanupExit; // no events
if (capturedElementCount > 0x4000)
capturedElementCount = 0x4000;
eventTraceSize = capturedElementSize * capturedElementCount;
capturedEventTrace = PhAllocateSafe(eventTraceSize);
if (!capturedEventTrace)
{
status = STATUS_NO_MEMORY;
goto CleanupExit;
}
if (!NT_SUCCESS(status = PhReadVirtualMemory(
processHandle,
capturedEventTracePointer,
capturedEventTrace,
eventTraceSize,
NULL
)))
goto CleanupExit;
currentEvent = capturedEventTrace;
ExtendedListView_SetRedraw(lvHandle, FALSE);
for (i = 0; i < capturedElementCount; i++)
{
PRTL_UNLOAD_EVENT_TRACE rtlEvent = currentEvent;
INT lvItemIndex;
WCHAR buffer[128];
PPH_STRING string;
LARGE_INTEGER time;
SYSTEMTIME systemTime;
if (!rtlEvent->BaseAddress)
break;
PhPrintUInt32(buffer, rtlEvent->Sequence);
lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, buffer, rtlEvent);
// Name
if (PhCopyUnicodeStringZ(rtlEvent->ImageName, sizeof(rtlEvent->ImageName) / sizeof(WCHAR),
buffer, sizeof(buffer) / sizeof(WCHAR), NULL))
{
PhSetListViewSubItem(lvHandle, lvItemIndex, 1, buffer);
}
// Base Address
PhPrintPointer(buffer, rtlEvent->BaseAddress);
PhSetListViewSubItem(lvHandle, lvItemIndex, 2, buffer);
// Size
string = PhFormatSize(rtlEvent->SizeOfImage, -1);
PhSetListViewSubItem(lvHandle, lvItemIndex, 3, string->Buffer);
PhDereferenceObject(string);
// Time Stamp
RtlSecondsSince1970ToTime(rtlEvent->TimeDateStamp, &time);
PhLargeIntegerToLocalSystemTime(&systemTime, &time);
string = PhFormatDateTime(&systemTime);
PhSetListViewSubItem(lvHandle, lvItemIndex, 4, string->Buffer);
PhDereferenceObject(string);
// Checksum
PhPrintPointer(buffer, UlongToPtr(rtlEvent->CheckSum));
PhSetListViewSubItem(lvHandle, lvItemIndex, 5, buffer);
currentEvent = PTR_ADD_OFFSET(currentEvent, capturedElementSize);
}
ExtendedListView_SortItems(lvHandle);
ExtendedListView_SetRedraw(lvHandle, TRUE);
if (Context->CapturedEventTrace)
PhFree(Context->CapturedEventTrace);
Context->CapturedEventTrace = capturedEventTrace;
CleanupExit:
if (processHandle)
NtClose(processHandle);
if (NT_SUCCESS(status))
{
return TRUE;
}
else
{
PhShowStatus(hwndDlg, L"Unable to retrieve unload event trace information", status, 0);
return FALSE;
}
}
BOOLEAN NetworkTreeFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
)
{
PPH_NETWORK_NODE networkNode = (PPH_NETWORK_NODE)Node;
if (PhIsNullOrEmptyString(SearchboxText))
return TRUE;
if (networkNode->NetworkItem->ProcessName)
{
if (WordMatchStringRef(&networkNode->NetworkItem->ProcessName->sr))
return TRUE;
}
if (networkNode->NetworkItem->OwnerName)
{
if (WordMatchStringRef(&networkNode->NetworkItem->OwnerName->sr))
return TRUE;
}
if (networkNode->NetworkItem->LocalAddressString[0] != 0)
{
if (WordMatchStringZ(networkNode->NetworkItem->LocalAddressString))
return TRUE;
}
if (networkNode->NetworkItem->LocalPortString[0] != 0)
{
if (WordMatchStringZ(networkNode->NetworkItem->LocalPortString))
return TRUE;
}
if (networkNode->NetworkItem->LocalHostString)
{
if (WordMatchStringRef(&networkNode->NetworkItem->LocalHostString->sr))
return TRUE;
}
if (networkNode->NetworkItem->RemoteAddressString[0] != 0)
{
if (WordMatchStringZ(networkNode->NetworkItem->RemoteAddressString))
return TRUE;
}
if (networkNode->NetworkItem->RemotePortString[0] != 0)
{
if (WordMatchStringZ(networkNode->NetworkItem->RemotePortString))
return TRUE;
}
if (networkNode->NetworkItem->RemoteHostString)
{
if (WordMatchStringRef(&networkNode->NetworkItem->RemoteHostString->sr))
return TRUE;
}
if (WordMatchStringZ(PhGetProtocolTypeName(networkNode->NetworkItem->ProtocolType)))
return TRUE;
if ((networkNode->NetworkItem->ProtocolType & PH_TCP_PROTOCOL_TYPE) &&
WordMatchStringZ(PhGetTcpStateName(networkNode->NetworkItem->State)))
return TRUE;
{
WCHAR pidString[32];
PhPrintUInt32(pidString, HandleToUlong(networkNode->NetworkItem->ProcessId));
if (WordMatchStringZ(pidString))
return TRUE;
}
return FALSE;
}
INT_PTR CALLBACK PhpJobPageProc(
__in HWND hwndDlg,
__in UINT uMsg,
__in WPARAM wParam,
__in LPARAM lParam
)
{
PJOB_PAGE_CONTEXT jobPageContext;
jobPageContext = PhpJobPageHeader(hwndDlg, uMsg, wParam, lParam);
if (!jobPageContext)
return FALSE;
if (jobPageContext->HookProc)
{
if (jobPageContext->HookProc(hwndDlg, uMsg, wParam, lParam))
return TRUE;
}
switch (uMsg)
{
case WM_INITDIALOG:
{
HANDLE jobHandle;
HWND processesLv;
HWND limitsLv;
processesLv = GetDlgItem(hwndDlg, IDC_PROCESSES);
limitsLv = GetDlgItem(hwndDlg, IDC_LIMITS);
PhSetListViewStyle(processesLv, FALSE, TRUE);
PhSetListViewStyle(limitsLv, FALSE, TRUE);
PhSetControlTheme(processesLv, L"explorer");
PhSetControlTheme(limitsLv, L"explorer");
PhAddListViewColumn(processesLv, 0, 0, 0, LVCFMT_LEFT, 240, L"Name");
PhAddListViewColumn(limitsLv, 0, 0, 0, LVCFMT_LEFT, 120, L"Name");
PhAddListViewColumn(limitsLv, 1, 1, 1, LVCFMT_LEFT, 160, L"Value");
SetDlgItemText(hwndDlg, IDC_NAME, L"Unknown");
if (NT_SUCCESS(jobPageContext->OpenObject(
&jobHandle,
JOB_OBJECT_QUERY,
jobPageContext->Context
)))
{
PPH_STRING jobObjectName = NULL;
JOBOBJECT_EXTENDED_LIMIT_INFORMATION extendedLimits;
JOBOBJECT_BASIC_UI_RESTRICTIONS basicUiRestrictions;
// Name
PhGetHandleInformation(
NtCurrentProcess(),
jobHandle,
-1,
NULL,
NULL,
NULL,
&jobObjectName
);
PHA_DEREFERENCE(jobObjectName);
if (jobObjectName && jobObjectName->Length == 0)
jobObjectName = NULL;
SetDlgItemText(hwndDlg, IDC_NAME, PhGetStringOrDefault(jobObjectName, L"(unnamed job)"));
// Processes
PhpAddJobProcesses(hwndDlg, jobHandle);
// Limits
if (NT_SUCCESS(PhGetJobExtendedLimits(jobHandle, &extendedLimits)))
{
ULONG flags = extendedLimits.BasicLimitInformation.LimitFlags;
if (flags & JOB_OBJECT_LIMIT_ACTIVE_PROCESS)
{
WCHAR value[PH_INT32_STR_LEN_1];
PhPrintUInt32(value, extendedLimits.BasicLimitInformation.ActiveProcessLimit);
PhpAddLimit(limitsLv, L"Active Processes", value);
}
if (flags & JOB_OBJECT_LIMIT_AFFINITY)
{
WCHAR value[PH_PTR_STR_LEN_1];
PhPrintPointer(value, (PVOID)extendedLimits.BasicLimitInformation.Affinity);
PhpAddLimit(limitsLv, L"Affinity", value);
}
if (flags & JOB_OBJECT_LIMIT_BREAKAWAY_OK)
{
PhpAddLimit(limitsLv, L"Breakaway OK", L"Enabled");
}
if (flags & JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION)
{
PhpAddLimit(limitsLv, L"Die on Unhandled Exception", L"Enabled");
}
if (flags & JOB_OBJECT_LIMIT_JOB_MEMORY)
{
PPH_STRING value = PhFormatSize(extendedLimits.JobMemoryLimit, -1);
PhpAddLimit(limitsLv, L"Job Memory", value->Buffer);
PhDereferenceObject(value);
}
if (flags & JOB_OBJECT_LIMIT_JOB_TIME)
{
WCHAR value[PH_TIMESPAN_STR_LEN_1];
PhPrintTimeSpan(value, extendedLimits.BasicLimitInformation.PerJobUserTimeLimit.QuadPart,
PH_TIMESPAN_DHMS);
PhpAddLimit(limitsLv, L"Job Time", value);
}
if (flags & JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE)
{
PhpAddLimit(limitsLv, L"Kill on Job Close", L"Enabled");
}
if (flags & JOB_OBJECT_LIMIT_PRIORITY_CLASS)
{
PhpAddLimit(limitsLv, L"Priority Class",
PhGetProcessPriorityClassString(extendedLimits.BasicLimitInformation.PriorityClass));
}
if (flags & JOB_OBJECT_LIMIT_PROCESS_MEMORY)
{
PPH_STRING value = PhFormatSize(extendedLimits.ProcessMemoryLimit, -1);
PhpAddLimit(limitsLv, L"Process Memory", value->Buffer);
PhDereferenceObject(value);
}
if (flags & JOB_OBJECT_LIMIT_PROCESS_TIME)
{
WCHAR value[PH_TIMESPAN_STR_LEN_1];
PhPrintTimeSpan(value, extendedLimits.BasicLimitInformation.PerProcessUserTimeLimit.QuadPart,
PH_TIMESPAN_DHMS);
PhpAddLimit(limitsLv, L"Process Time", value);
}
if (flags & JOB_OBJECT_LIMIT_SCHEDULING_CLASS)
{
WCHAR value[PH_INT32_STR_LEN_1];
PhPrintUInt32(value, extendedLimits.BasicLimitInformation.SchedulingClass);
PhpAddLimit(limitsLv, L"Scheduling Class", value);
}
if (flags & JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK)
{
PhpAddLimit(limitsLv, L"Silent Breakaway OK", L"Enabled");
}
if (flags & JOB_OBJECT_LIMIT_WORKINGSET)
{
PPH_STRING value;
value = PhFormatSize(extendedLimits.BasicLimitInformation.MinimumWorkingSetSize, -1);
PhpAddLimit(limitsLv, L"Working Set Minimum", value->Buffer);
PhDereferenceObject(value);
value = PhFormatSize(extendedLimits.BasicLimitInformation.MaximumWorkingSetSize, -1);
PhpAddLimit(limitsLv, L"Working Set Maximum", value->Buffer);
PhDereferenceObject(value);
}
}
if (NT_SUCCESS(PhGetJobBasicUiRestrictions(jobHandle, &basicUiRestrictions)))
{
ULONG flags = basicUiRestrictions.UIRestrictionsClass;
if (flags & JOB_OBJECT_UILIMIT_DESKTOP)
PhpAddLimit(limitsLv, L"Desktop", L"Limited");
if (flags & JOB_OBJECT_UILIMIT_DISPLAYSETTINGS)
PhpAddLimit(limitsLv, L"Display Settings", L"Limited");
if (flags & JOB_OBJECT_UILIMIT_EXITWINDOWS)
PhpAddLimit(limitsLv, L"Exit Windows", L"Limited");
if (flags & JOB_OBJECT_UILIMIT_GLOBALATOMS)
PhpAddLimit(limitsLv, L"Global Atoms", L"Limited");
if (flags & JOB_OBJECT_UILIMIT_HANDLES)
PhpAddLimit(limitsLv, L"Handles", L"Limited");
if (flags & JOB_OBJECT_UILIMIT_READCLIPBOARD)
PhpAddLimit(limitsLv, L"Read Clipboard", L"Limited");
if (flags & JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS)
PhpAddLimit(limitsLv, L"System Parameters", L"Limited");
if (flags & JOB_OBJECT_UILIMIT_WRITECLIPBOARD)
PhpAddLimit(limitsLv, L"Write Clipboard", L"Limited");
}
NtClose(jobHandle);
}
}
break;
case WM_COMMAND:
{
switch (LOWORD(wParam))
{
case IDC_TERMINATE:
{
if (PhShowConfirmMessage(
hwndDlg,
L"terminate",
L"the job",
L"Terminating a job will terminate all processes assigned to it.",
TRUE
))
{
NTSTATUS status;
HANDLE jobHandle;
if (NT_SUCCESS(status = jobPageContext->OpenObject(
&jobHandle,
JOB_OBJECT_TERMINATE,
jobPageContext->Context
)))
{
status = NtTerminateJobObject(jobHandle, STATUS_SUCCESS);
NtClose(jobHandle);
}
if (!NT_SUCCESS(status))
PhShowStatus(hwndDlg, L"Unable to terminate the job", status, 0);
}
}
break;
case IDC_ADD:
{
NTSTATUS status;
HANDLE processId;
HANDLE processHandle;
HANDLE jobHandle;
while (PhShowChooseProcessDialog(
hwndDlg,
L"Select a process to add to the job permanently.",
&processId
))
{
if (NT_SUCCESS(status = PhOpenProcess(
&processHandle,
PROCESS_TERMINATE | PROCESS_SET_QUOTA,
processId
)))
{
if (NT_SUCCESS(status = jobPageContext->OpenObject(
&jobHandle,
JOB_OBJECT_ASSIGN_PROCESS | JOB_OBJECT_QUERY,
jobPageContext->Context
)))
{
status = NtAssignProcessToJobObject(jobHandle, processHandle);
if (NT_SUCCESS(status))
{
ListView_DeleteAllItems(GetDlgItem(hwndDlg, IDC_PROCESSES));
PhpAddJobProcesses(hwndDlg, jobHandle);
}
NtClose(jobHandle);
}
NtClose(processHandle);
}
if (NT_SUCCESS(status))
break;
else
PhShowStatus(hwndDlg, L"Unable to add the process to the job", status, 0);
}
}
break;
case IDC_ADVANCED:
{
PhpShowJobAdvancedProperties(hwndDlg, jobPageContext);
}
break;
}
}
break;
case WM_NOTIFY:
{
PhHandleListViewNotifyBehaviors(lParam, GetDlgItem(hwndDlg, IDC_PROCESSES), PH_LIST_VIEW_DEFAULT_1_BEHAVIORS);
PhHandleListViewNotifyBehaviors(lParam, GetDlgItem(hwndDlg, IDC_LIMITS), PH_LIST_VIEW_DEFAULT_1_BEHAVIORS);
}
break;
}
return FALSE;
}
BOOLEAN ProcessTreeFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
)
{
PPH_PROCESS_NODE processNode = (PPH_PROCESS_NODE)Node;
if (PhIsNullOrEmptyString(SearchboxText))
return TRUE;
if (!PhIsNullOrEmptyString(processNode->ProcessItem->ProcessName))
{
if (WordMatchStringRef(&processNode->ProcessItem->ProcessName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->FileName))
{
if (WordMatchStringRef(&processNode->ProcessItem->FileName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->CommandLine))
{
if (WordMatchStringRef(&processNode->ProcessItem->CommandLine->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.CompanyName))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.CompanyName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.FileDescription))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.FileDescription->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.FileVersion))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.FileVersion->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.ProductName))
{
if (WordMatchStringRef(&processNode->ProcessItem->VersionInfo.ProductName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->UserName))
{
if (WordMatchStringRef(&processNode->ProcessItem->UserName->sr))
return TRUE;
}
if (processNode->ProcessItem->IntegrityString)
{
if (WordMatchStringZ(processNode->ProcessItem->IntegrityString))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->JobName))
{
if (WordMatchStringRef(&processNode->ProcessItem->JobName->sr))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->VerifySignerName))
{
if (WordMatchStringRef(&processNode->ProcessItem->VerifySignerName->sr))
return TRUE;
}
if (processNode->ProcessItem->ProcessIdString[0])
{
if (WordMatchStringZ(processNode->ProcessItem->ProcessIdString))
return TRUE;
}
if (processNode->ProcessItem->ParentProcessIdString[0])
{
if (WordMatchStringZ(processNode->ProcessItem->ParentProcessIdString))
return TRUE;
}
if (processNode->ProcessItem->SessionIdString[0])
{
if (WordMatchStringZ(processNode->ProcessItem->SessionIdString))
return TRUE;
}
if (!PhIsNullOrEmptyString(processNode->ProcessItem->PackageFullName))
{
if (WordMatchStringRef(&processNode->ProcessItem->PackageFullName->sr))
return TRUE;
}
if (WordMatchStringZ(PhGetProcessPriorityClassString(processNode->ProcessItem->PriorityClass)))
{
return TRUE;
}
if (processNode->ProcessItem->VerifyResult != VrUnknown)
{
switch (processNode->ProcessItem->VerifyResult)
{
case VrNoSignature:
if (WordMatchStringZ(L"NoSignature"))
return TRUE;
break;
case VrTrusted:
if (WordMatchStringZ(L"Trusted"))
return TRUE;
break;
case VrExpired:
if (WordMatchStringZ(L"Expired"))
return TRUE;
break;
case VrRevoked:
if (WordMatchStringZ(L"Revoked"))
return TRUE;
break;
case VrDistrust:
if (WordMatchStringZ(L"Distrust"))
return TRUE;
break;
case VrSecuritySettings:
if (WordMatchStringZ(L"SecuritySettings"))
return TRUE;
break;
case VrBadSignature:
if (WordMatchStringZ(L"BadSignature"))
return TRUE;
break;
default:
if (WordMatchStringZ(L"Unknown"))
return TRUE;
break;
}
}
if (WINDOWS_HAS_UAC && processNode->ProcessItem->ElevationType != TokenElevationTypeDefault)
{
switch (processNode->ProcessItem->ElevationType)
{
case TokenElevationTypeLimited:
if (WordMatchStringZ(L"Limited"))
return TRUE;
break;
case TokenElevationTypeFull:
if (WordMatchStringZ(L"Full"))
return TRUE;
break;
default:
if (WordMatchStringZ(L"Unknown"))
return TRUE;
break;
}
}
if (WordMatchStringZ(L"IsBeingDebugged") && processNode->ProcessItem->IsBeingDebugged)
{
return TRUE;
}
if (WordMatchStringZ(L"IsDotNet") && processNode->ProcessItem->IsDotNet)
{
return TRUE;
}
if (WordMatchStringZ(L"IsElevated") && processNode->ProcessItem->IsElevated)
{
return TRUE;
}
if (WordMatchStringZ(L"IsInJob") && processNode->ProcessItem->IsInJob)
{
return TRUE;
}
if (WordMatchStringZ(L"IsInSignificantJob") && processNode->ProcessItem->IsInSignificantJob)
{
return TRUE;
}
if (WordMatchStringZ(L"IsPacked") && processNode->ProcessItem->IsPacked)
{
return TRUE;
}
if (WordMatchStringZ(L"IsSuspended") && processNode->ProcessItem->IsSuspended)
{
return TRUE;
}
if (WordMatchStringZ(L"IsWow64") && processNode->ProcessItem->IsWow64)
{
return TRUE;
}
if (WordMatchStringZ(L"IsImmersive") && processNode->ProcessItem->IsImmersive)
{
return TRUE;
}
if (processNode->ProcessItem->ServiceList && processNode->ProcessItem->ServiceList->Count)
{
ULONG enumerationKey = 0;
PPH_SERVICE_ITEM serviceItem;
PPH_LIST serviceList;
ULONG i;
BOOLEAN matched = FALSE;
// Copy the service list so we can search it.
serviceList = PhCreateList(processNode->ProcessItem->ServiceList->Count);
PhAcquireQueuedLockShared(&processNode->ProcessItem->ServiceListLock);
while (PhEnumPointerList(
processNode->ProcessItem->ServiceList,
&enumerationKey,
&serviceItem
))
{
PhReferenceObject(serviceItem);
PhAddItemList(serviceList, serviceItem);
}
PhReleaseQueuedLockShared(&processNode->ProcessItem->ServiceListLock);
for (i = 0; i < serviceList->Count; i++)
{
PPH_STRING serviceFileName = NULL;
PPH_STRING serviceBinaryPath = NULL;
serviceItem = serviceList->Items[i];
if (!PhIsNullOrEmptyString(serviceItem->Name))
{
if (WordMatchStringRef(&serviceItem->Name->sr))
{
matched = TRUE;
break;
}
}
if (!PhIsNullOrEmptyString(serviceItem->DisplayName))
{
if (WordMatchStringRef(&serviceItem->DisplayName->sr))
{
matched = TRUE;
break;
}
}
if (serviceItem->ProcessId)
{
WCHAR processIdString[PH_INT32_STR_LEN_1];
PhPrintUInt32(processIdString, HandleToUlong(serviceItem->ProcessId));
if (WordMatchStringZ(processIdString))
{
matched = TRUE;
break;
}
}
if (NT_SUCCESS(QueryServiceFileName(
&serviceItem->Name->sr,
&serviceFileName,
&serviceBinaryPath
)))
{
if (serviceFileName)
{
if (WordMatchStringRef(&serviceFileName->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceFileName);
}
if (serviceBinaryPath)
{
if (WordMatchStringRef(&serviceBinaryPath->sr))
{
matched = TRUE;
}
PhDereferenceObject(serviceBinaryPath);
}
if (matched)
break;
}
}
PhDereferenceObjects(serviceList->Items, serviceList->Count);
PhDereferenceObject(serviceList);
if (matched)
return TRUE;
}
return FALSE;
}
