static PVOID GetExitProcessFunction( VOID ) { // Vista and above export. if (WindowsVersion >= WINDOWS_VISTA) return PhGetProcAddress(L"ntdll.dll", "RtlExitUserProcess"); else return PhGetProcAddress(L"kernel32.dll", "ExitProcess"); }
NTSTATUS PHAPI KphInit() { if (!(NtDeviceIoControlFile = (_NtDeviceIoControlFile) PhGetProcAddress(L"ntdll.dll", "NtDeviceIoControlFile"))) return STATUS_PROCEDURE_NOT_FOUND; if (!(NtTerminateProcess = (_NtTerminateProcess) PhGetProcAddress(L"ntdll.dll", "NtTerminateProcess"))) return STATUS_PROCEDURE_NOT_FOUND; if (!(NtTerminateThread = (_NtTerminateThread) PhGetProcAddress(L"ntdll.dll", "NtTerminateThread"))) return STATUS_PROCEDURE_NOT_FOUND; return STATUS_SUCCESS; }
PPH_STRING PhGetServiceNameFromTag( __in HANDLE ProcessId, __in PVOID ServiceTag ) { static PQUERY_TAG_INFORMATION I_QueryTagInformation = NULL; PPH_STRING serviceName = NULL; TAG_INFO_NAME_FROM_TAG nameFromTag; if (!I_QueryTagInformation) { I_QueryTagInformation = PhGetProcAddress(L"advapi32.dll", "I_QueryTagInformation"); if (!I_QueryTagInformation) return NULL; } memset(&nameFromTag, 0, sizeof(TAG_INFO_NAME_FROM_TAG)); nameFromTag.InParams.dwPid = (ULONG)ProcessId; nameFromTag.InParams.dwTag = (ULONG)ServiceTag; I_QueryTagInformation(NULL, eTagInfoLevelNameFromTag, &nameFromTag); if (nameFromTag.OutParams.pszName) { serviceName = PhCreateString(nameFromTag.OutParams.pszName); LocalFree(nameFromTag.OutParams.pszName); } return serviceName; }
ULONG UpdateDotNetTraceInfo( __in PASMPAGE_CONTEXT Context, __in BOOLEAN ClrV2 ) { static _EnableTraceEx EnableTraceEx_I = NULL; ULONG result; TRACEHANDLE sessionHandle; PEVENT_TRACE_PROPERTIES properties; PGUID guidToEnable; if (!EnableTraceEx_I) EnableTraceEx_I = (_EnableTraceEx)PhGetProcAddress(L"advapi32.dll", "EnableTraceEx"); if (!EnableTraceEx_I) return ERROR_NOT_SUPPORTED; result = StartDotNetTrace(Context, &sessionHandle, &properties); if (result != 0) return result; if (!ClrV2) guidToEnable = &ClrRundownProviderGuid; else guidToEnable = &ClrRuntimeProviderGuid; EnableTraceEx_I( guidToEnable, NULL, sessionHandle, 1, TRACE_LEVEL_INFORMATION, CLR_LOADER_KEYWORD | CLR_STARTENUMERATION_KEYWORD, 0, 0, NULL ); result = ProcessDotNetTrace(Context); ControlTrace(sessionHandle, NULL, properties, EVENT_TRACE_CONTROL_STOP); PhFree(properties); return result; }
_Out_opt_ PUNICODE_STRING OutOfProcessCallbackDllString ) { NTSTATUS status; PLIST_ENTRY (NTAPI *rtlGetFunctionTableListHead)(VOID); PLIST_ENTRY tableListHead; LIST_ENTRY tableListHeadEntry; PLIST_ENTRY tableListEntry; PDYNAMIC_FUNCTION_TABLE functionTableAddress; DYNAMIC_FUNCTION_TABLE functionTable; ULONG count; SIZE_T numberOfBytesRead; ULONG i; BOOLEAN foundNull; rtlGetFunctionTableListHead = PhGetProcAddress(L"ntdll.dll", "RtlGetFunctionTableListHead"); if (!rtlGetFunctionTableListHead) return STATUS_PROCEDURE_NOT_FOUND; tableListHead = rtlGetFunctionTableListHead(); // Find the function table entry for this address. if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, tableListHead, &tableListHeadEntry, sizeof(LIST_ENTRY), NULL )))