static BOOLEAN NTAPI EnumModulesCallback(
__in PPH_MODULE_INFO Module,
__in_opt PVOID Context
)
{
PPH_STRING upperFileName;
upperFileName = PhDuplicateString(Module->FileName);
PhUpperString(upperFileName);
if (
PhFindStringInString(upperFileName, 0, SearchString->Buffer) != -1 ||
(UseSearchPointer && Module->BaseAddress == (PVOID)SearchPointer)
)
{
PPHP_OBJECT_SEARCH_RESULT searchResult;
PWSTR typeName;
switch (Module->Type)
{
case PH_MODULE_TYPE_MAPPED_FILE:
typeName = L"Mapped File";
break;
case PH_MODULE_TYPE_MAPPED_IMAGE:
typeName = L"Mapped Image";
break;
default:
typeName = L"DLL";
break;
}
searchResult = PhAllocate(sizeof(PHP_OBJECT_SEARCH_RESULT));
searchResult->ProcessId = (HANDLE)Context;
searchResult->ResultType = (Module->Type == PH_MODULE_TYPE_MAPPED_FILE || Module->Type == PH_MODULE_TYPE_MAPPED_IMAGE) ? MappedFileSearchResult : ModuleSearchResult;
searchResult->Handle = (HANDLE)Module->BaseAddress;
searchResult->TypeName = PhCreateString(typeName);
PhReferenceObject(Module->FileName);
searchResult->Name = Module->FileName;
PhPrintPointer(searchResult->HandleString, Module->BaseAddress);
memset(&searchResult->Info, 0, sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX));
PhAcquireQueuedLockExclusive(&SearchResultsLock);
PhAddItemList(SearchResults, searchResult);
// Update the search results in batches of 40.
if (SearchResults->Count % 40 == 0)
PostMessage(PhFindObjectsWindowHandle, WM_PH_SEARCH_UPDATE, 0, 0);
PhReleaseQueuedLockExclusive(&SearchResultsLock);
}
PhDereferenceObject(upperFileName);
return TRUE;
}
BOOLEAN NTAPI PhpCommandLineOptionCallback(
_In_opt_ PPH_COMMAND_LINE_OPTION Option,
_In_opt_ PPH_STRING Value,
_In_opt_ PVOID Context
)
{
ULONG64 integer;
if (Option)
{
switch (Option->Id)
{
case PH_ARG_SETTINGS:
PhSwapReference(&PhStartupParameters.SettingsFileName, Value);
break;
case PH_ARG_NOSETTINGS:
PhStartupParameters.NoSettings = TRUE;
break;
case PH_ARG_SHOWVISIBLE:
PhStartupParameters.ShowVisible = TRUE;
break;
case PH_ARG_SHOWHIDDEN:
PhStartupParameters.ShowHidden = TRUE;
break;
case PH_ARG_COMMANDMODE:
PhStartupParameters.CommandMode = TRUE;
break;
case PH_ARG_COMMANDTYPE:
PhSwapReference(&PhStartupParameters.CommandType, Value);
break;
case PH_ARG_COMMANDOBJECT:
PhSwapReference(&PhStartupParameters.CommandObject, Value);
break;
case PH_ARG_COMMANDACTION:
PhSwapReference(&PhStartupParameters.CommandAction, Value);
break;
case PH_ARG_COMMANDVALUE:
PhSwapReference(&PhStartupParameters.CommandValue, Value);
break;
case PH_ARG_RUNASSERVICEMODE:
PhSwapReference(&PhStartupParameters.RunAsServiceMode, Value);
break;
case PH_ARG_NOKPH:
PhStartupParameters.NoKph = TRUE;
break;
case PH_ARG_INSTALLKPH:
PhStartupParameters.InstallKph = TRUE;
break;
case PH_ARG_UNINSTALLKPH:
PhStartupParameters.UninstallKph = TRUE;
break;
case PH_ARG_DEBUG:
PhStartupParameters.Debug = TRUE;
break;
case PH_ARG_HWND:
if (PhStringToInteger64(&Value->sr, 16, &integer))
PhStartupParameters.WindowHandle = (HWND)(ULONG_PTR)integer;
break;
case PH_ARG_POINT:
{
PH_STRINGREF xString;
PH_STRINGREF yString;
if (PhSplitStringRefAtChar(&Value->sr, ',', &xString, &yString))
{
LONG64 x;
LONG64 y;
if (PhStringToInteger64(&xString, 10, &x) && PhStringToInteger64(&yString, 10, &y))
{
PhStartupParameters.Point.x = (LONG)x;
PhStartupParameters.Point.y = (LONG)y;
}
}
}
break;
case PH_ARG_SHOWOPTIONS:
PhStartupParameters.ShowOptions = TRUE;
break;
case PH_ARG_PHSVC:
PhStartupParameters.PhSvc = TRUE;
break;
case PH_ARG_NOPLUGINS:
PhStartupParameters.NoPlugins = TRUE;
break;
case PH_ARG_NEWINSTANCE:
PhStartupParameters.NewInstance = TRUE;
break;
case PH_ARG_ELEVATE:
PhStartupParameters.Elevate = TRUE;
break;
case PH_ARG_SILENT:
PhStartupParameters.Silent = TRUE;
break;
case PH_ARG_HELP:
PhStartupParameters.Help = TRUE;
break;
case PH_ARG_SELECTPID:
if (PhStringToInteger64(&Value->sr, 0, &integer))
PhStartupParameters.SelectPid = (ULONG)integer;
break;
case PH_ARG_PRIORITY:
if (PhEqualString2(Value, L"r", TRUE))
PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_REALTIME;
else if (PhEqualString2(Value, L"h", TRUE))
PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_HIGH;
else if (PhEqualString2(Value, L"n", TRUE))
PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_NORMAL;
else if (PhEqualString2(Value, L"l", TRUE))
PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_IDLE;
break;
case PH_ARG_PLUGIN:
if (!PhStartupParameters.PluginParameters)
PhStartupParameters.PluginParameters = PhCreateList(3);
PhReferenceObject(Value);
PhAddItemList(PhStartupParameters.PluginParameters, Value);
break;
case PH_ARG_SELECTTAB:
PhSwapReference(&PhStartupParameters.SelectTab, Value);
break;
}
}
else
{
PPH_STRING upperValue;
upperValue = PhDuplicateString(Value);
_wcsupr(upperValue->Buffer);
if (PhFindStringInString(upperValue, 0, L"TASKMGR.EXE") != -1)
{
// User probably has Process Hacker replacing Task Manager. Force
// the main window to start visible.
PhStartupParameters.ShowVisible = TRUE;
}
PhDereferenceObject(upperValue);
}
return TRUE;
}
static NTSTATUS NTAPI SearchHandleFunction(
_In_ PVOID Parameter
)
{
PSEARCH_HANDLE_CONTEXT context = Parameter;
PPH_STRING typeName;
PPH_STRING bestObjectName;
if (!SearchStop && NT_SUCCESS(PhGetHandleInformation(
context->ProcessHandle,
(HANDLE)context->HandleInfo->HandleValue,
context->HandleInfo->ObjectTypeIndex,
NULL,
&typeName,
NULL,
&bestObjectName
)))
{
PPH_STRING upperBestObjectName;
upperBestObjectName = PhDuplicateString(bestObjectName);
_wcsupr(upperBestObjectName->Buffer);
if (MatchSearchString(&upperBestObjectName->sr) ||
(UseSearchPointer && context->HandleInfo->Object == (PVOID)SearchPointer))
{
PPHP_OBJECT_SEARCH_RESULT searchResult;
searchResult = PhAllocate(sizeof(PHP_OBJECT_SEARCH_RESULT));
searchResult->ProcessId = (HANDLE)context->HandleInfo->UniqueProcessId;
searchResult->ResultType = HandleSearchResult;
searchResult->Handle = (HANDLE)context->HandleInfo->HandleValue;
searchResult->TypeName = typeName;
searchResult->Name = bestObjectName;
PhPrintPointer(searchResult->HandleString, (PVOID)searchResult->Handle);
searchResult->Info = *context->HandleInfo;
PhAcquireQueuedLockExclusive(&SearchResultsLock);
PhAddItemList(SearchResults, searchResult);
// Update the search results in batches of 40.
if (SearchResults->Count % 40 == 0)
PostMessage(PhFindObjectsWindowHandle, WM_PH_SEARCH_UPDATE, 0, 0);
PhReleaseQueuedLockExclusive(&SearchResultsLock);
}
else
{
PhDereferenceObject(typeName);
PhDereferenceObject(bestObjectName);
}
PhDereferenceObject(upperBestObjectName);
}
if (context->NeedToFree)
PhFree(context);
return STATUS_SUCCESS;
}
static NTSTATUS PhpFindObjectsThreadStart(
__in PVOID Parameter
)
{
PSYSTEM_HANDLE_INFORMATION_EX handles;
PPH_HASHTABLE processHandleHashtable;
PVOID processes;
PSYSTEM_PROCESS_INFORMATION process;
ULONG i;
// Refuse to search with no filter.
if (SearchString->Length == 0)
goto Exit;
// Try to get a search pointer from the search string.
UseSearchPointer = PhStringToInteger64(&SearchString->sr, 0, &SearchPointer);
PhUpperString(SearchString);
if (NT_SUCCESS(PhEnumHandlesEx(&handles)))
{
processHandleHashtable = PhCreateSimpleHashtable(8);
for (i = 0; i < handles->NumberOfHandles; i++)
{
PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleInfo = &handles->Handles[i];
PPVOID processHandlePtr;
HANDLE processHandle;
PPH_STRING typeName;
PPH_STRING bestObjectName;
if (SearchStop)
break;
// Open a handle to the process if we don't already have one.
processHandlePtr = PhFindItemSimpleHashtable(
processHandleHashtable,
(PVOID)handleInfo->UniqueProcessId
);
if (processHandlePtr)
{
processHandle = (HANDLE)*processHandlePtr;
}
else
{
if (NT_SUCCESS(PhOpenProcess(
&processHandle,
PROCESS_DUP_HANDLE,
(HANDLE)handleInfo->UniqueProcessId
)))
{
PhAddItemSimpleHashtable(
processHandleHashtable,
(PVOID)handleInfo->UniqueProcessId,
processHandle
);
}
else
{
continue;
}
}
// Get handle information.
if (NT_SUCCESS(PhGetHandleInformation(
processHandle,
(HANDLE)handleInfo->HandleValue,
handleInfo->ObjectTypeIndex,
NULL,
&typeName,
NULL,
&bestObjectName
)))
{
PPH_STRING upperBestObjectName;
upperBestObjectName = PhDuplicateString(bestObjectName);
PhUpperString(upperBestObjectName);
if (
PhFindStringInString(upperBestObjectName, 0, SearchString->Buffer) != -1 ||
(UseSearchPointer && handleInfo->Object == (PVOID)SearchPointer)
)
{
PPHP_OBJECT_SEARCH_RESULT searchResult;
searchResult = PhAllocate(sizeof(PHP_OBJECT_SEARCH_RESULT));
searchResult->ProcessId = (HANDLE)handleInfo->UniqueProcessId;
searchResult->ResultType = HandleSearchResult;
searchResult->Handle = (HANDLE)handleInfo->HandleValue;
searchResult->TypeName = typeName;
searchResult->Name = bestObjectName;
PhPrintPointer(searchResult->HandleString, (PVOID)searchResult->Handle);
searchResult->Info = *handleInfo;
PhAcquireQueuedLockExclusive(&SearchResultsLock);
PhAddItemList(SearchResults, searchResult);
// Update the search results in batches of 40.
if (SearchResults->Count % 40 == 0)
PostMessage(PhFindObjectsWindowHandle, WM_PH_SEARCH_UPDATE, 0, 0);
PhReleaseQueuedLockExclusive(&SearchResultsLock);
}
else
{
PhDereferenceObject(typeName);
PhDereferenceObject(bestObjectName);
}
PhDereferenceObject(upperBestObjectName);
}
}
{
PPH_KEY_VALUE_PAIR entry;
i = 0;
while (PhEnumHashtable(processHandleHashtable, &entry, &i))
NtClose((HANDLE)entry->Value);
}
PhDereferenceObject(processHandleHashtable);
PhFree(handles);
}
if (NT_SUCCESS(PhEnumProcesses(&processes)))
{
process = PH_FIRST_PROCESS(processes);
do
{
PhEnumGenericModules(
process->UniqueProcessId,
NULL,
PH_ENUM_GENERIC_MAPPED_FILES | PH_ENUM_GENERIC_MAPPED_IMAGES,
EnumModulesCallback,
(PVOID)process->UniqueProcessId
);
} while (process = PH_NEXT_PROCESS(process));
PhFree(processes);
}
Exit:
PostMessage(PhFindObjectsWindowHandle, WM_PH_SEARCH_FINISHED, 0, 0);
return STATUS_SUCCESS;
}