VOID EtInitializeDiskInformation( VOID ) { LARGE_INTEGER performanceCounter; EtDiskItemType = PhCreateObjectType(L"DiskItem", 0, EtpDiskItemDeleteProcedure); EtDiskHashtable = PhCreateHashtable( sizeof(PET_DISK_ITEM), EtpDiskHashtableEqualFunction, EtpDiskHashtableHashFunction, 128 ); InitializeListHead(&EtDiskAgeListHead); PhInitializeFreeList(&EtDiskPacketFreeList, sizeof(ETP_DISK_PACKET), 64); RtlInitializeSListHead(&EtDiskPacketListHead); EtFileNameHashtable = PhCreateSimpleHashtable(128); NtQueryPerformanceCounter(&performanceCounter, &EtpPerformanceFrequency); EtDiskEnabled = TRUE; // Collect all existing file names. EtStartEtwRundown(); PhRegisterCallback( &PhProcessesUpdatedEvent, ProcessesUpdatedCallback, NULL, &ProcessesUpdatedCallbackRegistration ); }
VOID NTAPI LoadCallback( __in_opt PVOID Parameter, __in_opt PVOID Context ) { PPH_STRING sbieDllPath; HMODULE module; HANDLE timerQueueHandle; HANDLE timerHandle; BoxedProcessesHashtable = PhCreateHashtable( sizeof(BOXED_PROCESS), BoxedProcessesCompareFunction, BoxedProcessesHashFunction, 32 ); sbieDllPath = PhGetStringSetting(L"ProcessHacker.SbieSupport.SbieDllPath"); module = LoadLibrary(sbieDllPath->Buffer); PhDereferenceObject(sbieDllPath); SbieApi_QueryBoxPath = (PVOID)GetProcAddress(module, SbieApi_QueryBoxPath_Name); SbieApi_EnumBoxes = (PVOID)GetProcAddress(module, SbieApi_EnumBoxes_Name); SbieApi_EnumProcessEx = (PVOID)GetProcAddress(module, SbieApi_EnumProcessEx_Name); SbieDll_KillAll = (PVOID)GetProcAddress(module, SbieDll_KillAll_Name); if (NT_SUCCESS(RtlCreateTimerQueue(&timerQueueHandle))) { RtlCreateTimer(timerQueueHandle, &timerHandle, RefreshSandboxieInfo, NULL, 0, 4000, 0); } }
VOID NTAPI LoadCallback( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { PPH_STRING sbieDllPath; HMODULE module; HANDLE timerQueueHandle; HANDLE timerHandle; BoxedProcessesHashtable = PhCreateHashtable( sizeof(BOXED_PROCESS), BoxedProcessesEqualFunction, BoxedProcessesHashFunction, 32 ); sbieDllPath = PhaGetStringSetting(SETTING_NAME_SBIE_DLL_PATH); module = LoadLibrary(sbieDllPath->Buffer); SbieApi_QueryBoxPath = PhGetProcedureAddress(module, SbieApi_QueryBoxPath_Name, 0); SbieApi_EnumBoxes = PhGetProcedureAddress(module, SbieApi_EnumBoxes_Name, 0); SbieApi_EnumProcessEx = PhGetProcedureAddress(module, SbieApi_EnumProcessEx_Name, 0); SbieDll_KillAll = PhGetProcedureAddress(module, SbieDll_KillAll_Name, 0); if (NT_SUCCESS(RtlCreateTimerQueue(&timerQueueHandle))) { RtlCreateTimer(timerQueueHandle, &timerHandle, RefreshSandboxieInfo, NULL, 0, 4000, 0); } }
VOID InitializeDb( VOID ) { ObjectDb = PhCreateHashtable( sizeof(PDB_OBJECT), ObjectDbEqualFunction, ObjectDbHashFunction, 64 ); }
PPH_MODULE_PROVIDER PhCreateModuleProvider( __in HANDLE ProcessId ) { PPH_MODULE_PROVIDER moduleProvider; if (!NT_SUCCESS(PhCreateObject( &moduleProvider, sizeof(PH_MODULE_PROVIDER), 0, PhModuleProviderType ))) return NULL; moduleProvider->ModuleHashtable = PhCreateHashtable( sizeof(PPH_MODULE_ITEM), PhpModuleHashtableCompareFunction, PhpModuleHashtableHashFunction, 20 ); PhInitializeFastLock(&moduleProvider->ModuleHashtableLock); PhInitializeCallback(&moduleProvider->ModuleAddedEvent); PhInitializeCallback(&moduleProvider->ModuleModifiedEvent); PhInitializeCallback(&moduleProvider->ModuleRemovedEvent); PhInitializeCallback(&moduleProvider->UpdatedEvent); moduleProvider->ProcessId = ProcessId; moduleProvider->ProcessHandle = NULL; // It doesn't matter if we can't get a process handle. // Try to get a handle with query information + vm read access. if (!NT_SUCCESS(PhOpenProcess( &moduleProvider->ProcessHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessId ))) { if (WINDOWS_HAS_LIMITED_ACCESS) { // Try to get a handle with query limited information + vm read access. PhOpenProcess( &moduleProvider->ProcessHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessId ); } } RtlInitializeSListHead(&moduleProvider->QueryListHead); return moduleProvider; }
BOOLEAN PhServiceProviderInitialization( VOID ) { PhServiceItemType = PhCreateObjectType(L"ServiceItem", 0, PhpServiceItemDeleteProcedure); PhServiceHashtable = PhCreateHashtable( sizeof(PPH_SERVICE_ITEM), PhpServiceHashtableCompareFunction, PhpServiceHashtableHashFunction, 40 ); return TRUE; }
FORCEINLINE VOID PhpEnsureTickHashtableCreated( __in PPH_EXTLV_CONTEXT Context ) { if (!Context->TickHashtable) { Context->TickHashtable = PhCreateHashtable( sizeof(PH_TICK_ENTRY), PhpTickHashtableCompareFunction, PhpTickHashtableHashFunction, 20 ); } }
PPH_THREAD_PROVIDER PhCreateThreadProvider( __in HANDLE ProcessId ) { PPH_THREAD_PROVIDER threadProvider; if (!NT_SUCCESS(PhCreateObject( &threadProvider, sizeof(PH_THREAD_PROVIDER), 0, PhThreadProviderType ))) return NULL; threadProvider->ThreadHashtable = PhCreateHashtable( sizeof(PPH_THREAD_ITEM), PhpThreadHashtableCompareFunction, PhpThreadHashtableHashFunction, 20 ); PhInitializeFastLock(&threadProvider->ThreadHashtableLock); PhInitializeCallback(&threadProvider->ThreadAddedEvent); PhInitializeCallback(&threadProvider->ThreadModifiedEvent); PhInitializeCallback(&threadProvider->ThreadRemovedEvent); PhInitializeCallback(&threadProvider->UpdatedEvent); PhInitializeCallback(&threadProvider->LoadingStateChangedEvent); threadProvider->ProcessId = ProcessId; threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId); if (threadProvider->SymbolProvider) { if (threadProvider->SymbolProvider->IsRealHandle) threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle; } PhInitializeEvent(&threadProvider->SymbolsLoadedEvent); threadProvider->SymbolsLoading = 0; RtlInitializeSListHead(&threadProvider->QueryListHead); threadProvider->RunId = 1; // Begin loading symbols for the process' modules. PhReferenceObject(threadProvider); PhpQueueThreadWorkQueueItem(PhpThreadProviderLoadSymbols, threadProvider); return threadProvider; }
VOID PhSettingsInitialization( VOID ) { PhSettingsHashtable = PhCreateHashtable( sizeof(PH_SETTING), PhpSettingsHashtableEqualFunction, PhpSettingsHashtableHashFunction, 256 ); PhIgnoredSettings = PhCreateList(4); PhAddDefaultSettings(); PhUpdateCachedSettings(); }
PPH_THREAD_PROVIDER PhCreateThreadProvider( _In_ HANDLE ProcessId ) { PPH_THREAD_PROVIDER threadProvider; threadProvider = PhCreateObject( PhEmGetObjectSize(EmThreadProviderType, sizeof(PH_THREAD_PROVIDER)), PhThreadProviderType ); memset(threadProvider, 0, sizeof(PH_THREAD_PROVIDER)); threadProvider->ThreadHashtable = PhCreateHashtable( sizeof(PPH_THREAD_ITEM), PhpThreadHashtableEqualFunction, PhpThreadHashtableHashFunction, 20 ); PhInitializeFastLock(&threadProvider->ThreadHashtableLock); PhInitializeCallback(&threadProvider->ThreadAddedEvent); PhInitializeCallback(&threadProvider->ThreadModifiedEvent); PhInitializeCallback(&threadProvider->ThreadRemovedEvent); PhInitializeCallback(&threadProvider->UpdatedEvent); PhInitializeCallback(&threadProvider->LoadingStateChangedEvent); threadProvider->ProcessId = ProcessId; threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId); if (threadProvider->SymbolProvider) { if (threadProvider->SymbolProvider->IsRealHandle) threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle; } RtlInitializeSListHead(&threadProvider->QueryListHead); PhInitializeQueuedLock(&threadProvider->LoadSymbolsLock); threadProvider->RunId = 1; threadProvider->SymbolsLoadedRunId = 0; // Force symbols to be loaded the first time we try to resolve an address PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectCreate); return threadProvider; }
PPH_MODULE_PROVIDER PhCreateModuleProvider( _In_ HANDLE ProcessId ) { NTSTATUS status; PPH_MODULE_PROVIDER moduleProvider; moduleProvider = PhCreateObject( PhEmGetObjectSize(EmModuleProviderType, sizeof(PH_MODULE_PROVIDER)), PhModuleProviderType ); moduleProvider->ModuleHashtable = PhCreateHashtable( sizeof(PPH_MODULE_ITEM), PhpModuleHashtableEqualFunction, PhpModuleHashtableHashFunction, 20 ); PhInitializeFastLock(&moduleProvider->ModuleHashtableLock); PhInitializeCallback(&moduleProvider->ModuleAddedEvent); PhInitializeCallback(&moduleProvider->ModuleModifiedEvent); PhInitializeCallback(&moduleProvider->ModuleRemovedEvent); PhInitializeCallback(&moduleProvider->UpdatedEvent); moduleProvider->ProcessId = ProcessId; moduleProvider->ProcessHandle = NULL; moduleProvider->PackageFullName = NULL; moduleProvider->RunStatus = STATUS_SUCCESS; // It doesn't matter if we can't get a process handle. // Try to get a handle with query information + vm read access. if (!NT_SUCCESS(status = PhOpenProcess( &moduleProvider->ProcessHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessId ))) { if (WINDOWS_HAS_LIMITED_ACCESS) { // Try to get a handle with query limited information + vm read access. status = PhOpenProcess( &moduleProvider->ProcessHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessId ); } moduleProvider->RunStatus = status; } if (moduleProvider->ProcessHandle) moduleProvider->PackageFullName = PhGetProcessPackageFullName(moduleProvider->ProcessHandle); RtlInitializeSListHead(&moduleProvider->QueryListHead); PhEmCallObjectOperation(EmModuleProviderType, moduleProvider, EmObjectCreate); return moduleProvider; }