VOID EtInitializeDiskInformation(
VOID
)
{
LARGE_INTEGER performanceCounter;
EtDiskItemType = PhCreateObjectType(L"DiskItem", 0, EtpDiskItemDeleteProcedure);
EtDiskHashtable = PhCreateHashtable(
sizeof(PET_DISK_ITEM),
EtpDiskHashtableEqualFunction,
EtpDiskHashtableHashFunction,
128
);
InitializeListHead(&EtDiskAgeListHead);
PhInitializeFreeList(&EtDiskPacketFreeList, sizeof(ETP_DISK_PACKET), 64);
RtlInitializeSListHead(&EtDiskPacketListHead);
EtFileNameHashtable = PhCreateSimpleHashtable(128);
NtQueryPerformanceCounter(&performanceCounter, &EtpPerformanceFrequency);
EtDiskEnabled = TRUE;
// Collect all existing file names.
EtStartEtwRundown();
PhRegisterCallback(
&PhProcessesUpdatedEvent,
ProcessesUpdatedCallback,
NULL,
&ProcessesUpdatedCallbackRegistration
);
}
VOID NTAPI LoadCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PPH_STRING sbieDllPath;
HMODULE module;
HANDLE timerQueueHandle;
HANDLE timerHandle;
BoxedProcessesHashtable = PhCreateHashtable(
sizeof(BOXED_PROCESS),
BoxedProcessesCompareFunction,
BoxedProcessesHashFunction,
32
);
sbieDllPath = PhGetStringSetting(L"ProcessHacker.SbieSupport.SbieDllPath");
module = LoadLibrary(sbieDllPath->Buffer);
PhDereferenceObject(sbieDllPath);
SbieApi_QueryBoxPath = (PVOID)GetProcAddress(module, SbieApi_QueryBoxPath_Name);
SbieApi_EnumBoxes = (PVOID)GetProcAddress(module, SbieApi_EnumBoxes_Name);
SbieApi_EnumProcessEx = (PVOID)GetProcAddress(module, SbieApi_EnumProcessEx_Name);
SbieDll_KillAll = (PVOID)GetProcAddress(module, SbieDll_KillAll_Name);
if (NT_SUCCESS(RtlCreateTimerQueue(&timerQueueHandle)))
{
RtlCreateTimer(timerQueueHandle, &timerHandle, RefreshSandboxieInfo, NULL, 0, 4000, 0);
}
}
VOID NTAPI LoadCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_STRING sbieDllPath;
HMODULE module;
HANDLE timerQueueHandle;
HANDLE timerHandle;
BoxedProcessesHashtable = PhCreateHashtable(
sizeof(BOXED_PROCESS),
BoxedProcessesEqualFunction,
BoxedProcessesHashFunction,
32
);
sbieDllPath = PhaGetStringSetting(SETTING_NAME_SBIE_DLL_PATH);
module = LoadLibrary(sbieDllPath->Buffer);
SbieApi_QueryBoxPath = PhGetProcedureAddress(module, SbieApi_QueryBoxPath_Name, 0);
SbieApi_EnumBoxes = PhGetProcedureAddress(module, SbieApi_EnumBoxes_Name, 0);
SbieApi_EnumProcessEx = PhGetProcedureAddress(module, SbieApi_EnumProcessEx_Name, 0);
SbieDll_KillAll = PhGetProcedureAddress(module, SbieDll_KillAll_Name, 0);
if (NT_SUCCESS(RtlCreateTimerQueue(&timerQueueHandle)))
{
RtlCreateTimer(timerQueueHandle, &timerHandle, RefreshSandboxieInfo, NULL, 0, 4000, 0);
}
}
VOID InitializeDb(
VOID
)
{
ObjectDb = PhCreateHashtable(
sizeof(PDB_OBJECT),
ObjectDbEqualFunction,
ObjectDbHashFunction,
64
);
}
PPH_MODULE_PROVIDER PhCreateModuleProvider(
__in HANDLE ProcessId
)
{
PPH_MODULE_PROVIDER moduleProvider;
if (!NT_SUCCESS(PhCreateObject(
&moduleProvider,
sizeof(PH_MODULE_PROVIDER),
0,
PhModuleProviderType
)))
return NULL;
moduleProvider->ModuleHashtable = PhCreateHashtable(
sizeof(PPH_MODULE_ITEM),
PhpModuleHashtableCompareFunction,
PhpModuleHashtableHashFunction,
20
);
PhInitializeFastLock(&moduleProvider->ModuleHashtableLock);
PhInitializeCallback(&moduleProvider->ModuleAddedEvent);
PhInitializeCallback(&moduleProvider->ModuleModifiedEvent);
PhInitializeCallback(&moduleProvider->ModuleRemovedEvent);
PhInitializeCallback(&moduleProvider->UpdatedEvent);
moduleProvider->ProcessId = ProcessId;
moduleProvider->ProcessHandle = NULL;
// It doesn't matter if we can't get a process handle.
// Try to get a handle with query information + vm read access.
if (!NT_SUCCESS(PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
ProcessId
)))
{
if (WINDOWS_HAS_LIMITED_ACCESS)
{
// Try to get a handle with query limited information + vm read access.
PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ,
ProcessId
);
}
}
RtlInitializeSListHead(&moduleProvider->QueryListHead);
return moduleProvider;
}
BOOLEAN PhServiceProviderInitialization(
VOID
)
{
PhServiceItemType = PhCreateObjectType(L"ServiceItem", 0, PhpServiceItemDeleteProcedure);
PhServiceHashtable = PhCreateHashtable(
sizeof(PPH_SERVICE_ITEM),
PhpServiceHashtableCompareFunction,
PhpServiceHashtableHashFunction,
40
);
return TRUE;
}
FORCEINLINE VOID PhpEnsureTickHashtableCreated(
__in PPH_EXTLV_CONTEXT Context
)
{
if (!Context->TickHashtable)
{
Context->TickHashtable = PhCreateHashtable(
sizeof(PH_TICK_ENTRY),
PhpTickHashtableCompareFunction,
PhpTickHashtableHashFunction,
20
);
}
}
PPH_THREAD_PROVIDER PhCreateThreadProvider(
__in HANDLE ProcessId
)
{
PPH_THREAD_PROVIDER threadProvider;
if (!NT_SUCCESS(PhCreateObject(
&threadProvider,
sizeof(PH_THREAD_PROVIDER),
0,
PhThreadProviderType
)))
return NULL;
threadProvider->ThreadHashtable = PhCreateHashtable(
sizeof(PPH_THREAD_ITEM),
PhpThreadHashtableCompareFunction,
PhpThreadHashtableHashFunction,
20
);
PhInitializeFastLock(&threadProvider->ThreadHashtableLock);
PhInitializeCallback(&threadProvider->ThreadAddedEvent);
PhInitializeCallback(&threadProvider->ThreadModifiedEvent);
PhInitializeCallback(&threadProvider->ThreadRemovedEvent);
PhInitializeCallback(&threadProvider->UpdatedEvent);
PhInitializeCallback(&threadProvider->LoadingStateChangedEvent);
threadProvider->ProcessId = ProcessId;
threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId);
if (threadProvider->SymbolProvider)
{
if (threadProvider->SymbolProvider->IsRealHandle)
threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle;
}
PhInitializeEvent(&threadProvider->SymbolsLoadedEvent);
threadProvider->SymbolsLoading = 0;
RtlInitializeSListHead(&threadProvider->QueryListHead);
threadProvider->RunId = 1;
// Begin loading symbols for the process' modules.
PhReferenceObject(threadProvider);
PhpQueueThreadWorkQueueItem(PhpThreadProviderLoadSymbols, threadProvider);
return threadProvider;
}
VOID PhSettingsInitialization(
VOID
)
{
PhSettingsHashtable = PhCreateHashtable(
sizeof(PH_SETTING),
PhpSettingsHashtableEqualFunction,
PhpSettingsHashtableHashFunction,
256
);
PhIgnoredSettings = PhCreateList(4);
PhAddDefaultSettings();
PhUpdateCachedSettings();
}
PPH_THREAD_PROVIDER PhCreateThreadProvider(
_In_ HANDLE ProcessId
)
{
PPH_THREAD_PROVIDER threadProvider;
threadProvider = PhCreateObject(
PhEmGetObjectSize(EmThreadProviderType, sizeof(PH_THREAD_PROVIDER)),
PhThreadProviderType
);
memset(threadProvider, 0, sizeof(PH_THREAD_PROVIDER));
threadProvider->ThreadHashtable = PhCreateHashtable(
sizeof(PPH_THREAD_ITEM),
PhpThreadHashtableEqualFunction,
PhpThreadHashtableHashFunction,
20
);
PhInitializeFastLock(&threadProvider->ThreadHashtableLock);
PhInitializeCallback(&threadProvider->ThreadAddedEvent);
PhInitializeCallback(&threadProvider->ThreadModifiedEvent);
PhInitializeCallback(&threadProvider->ThreadRemovedEvent);
PhInitializeCallback(&threadProvider->UpdatedEvent);
PhInitializeCallback(&threadProvider->LoadingStateChangedEvent);
threadProvider->ProcessId = ProcessId;
threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId);
if (threadProvider->SymbolProvider)
{
if (threadProvider->SymbolProvider->IsRealHandle)
threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle;
}
RtlInitializeSListHead(&threadProvider->QueryListHead);
PhInitializeQueuedLock(&threadProvider->LoadSymbolsLock);
threadProvider->RunId = 1;
threadProvider->SymbolsLoadedRunId = 0; // Force symbols to be loaded the first time we try to resolve an address
PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectCreate);
return threadProvider;
}
PPH_MODULE_PROVIDER PhCreateModuleProvider(
_In_ HANDLE ProcessId
)
{
NTSTATUS status;
PPH_MODULE_PROVIDER moduleProvider;
moduleProvider = PhCreateObject(
PhEmGetObjectSize(EmModuleProviderType, sizeof(PH_MODULE_PROVIDER)),
PhModuleProviderType
);
moduleProvider->ModuleHashtable = PhCreateHashtable(
sizeof(PPH_MODULE_ITEM),
PhpModuleHashtableEqualFunction,
PhpModuleHashtableHashFunction,
20
);
PhInitializeFastLock(&moduleProvider->ModuleHashtableLock);
PhInitializeCallback(&moduleProvider->ModuleAddedEvent);
PhInitializeCallback(&moduleProvider->ModuleModifiedEvent);
PhInitializeCallback(&moduleProvider->ModuleRemovedEvent);
PhInitializeCallback(&moduleProvider->UpdatedEvent);
moduleProvider->ProcessId = ProcessId;
moduleProvider->ProcessHandle = NULL;
moduleProvider->PackageFullName = NULL;
moduleProvider->RunStatus = STATUS_SUCCESS;
// It doesn't matter if we can't get a process handle.
// Try to get a handle with query information + vm read access.
if (!NT_SUCCESS(status = PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
ProcessId
)))
{
if (WINDOWS_HAS_LIMITED_ACCESS)
{
// Try to get a handle with query limited information + vm read access.
status = PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ,
ProcessId
);
}
moduleProvider->RunStatus = status;
}
if (moduleProvider->ProcessHandle)
moduleProvider->PackageFullName = PhGetProcessPackageFullName(moduleProvider->ProcessHandle);
RtlInitializeSListHead(&moduleProvider->QueryListHead);
PhEmCallObjectOperation(EmModuleProviderType, moduleProvider, EmObjectCreate);
return moduleProvider;
}
