VOID NTAPI ProcessMenuInitializingCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
PPH_PROCESS_ITEM processItem;
ULONG flags;
PPH_EMENU_ITEM miscMenu;
if (menuInfo->u.Process.NumberOfProcesses == 1)
processItem = menuInfo->u.Process.Processes[0];
else
processItem = NULL;
flags = 0;
if (!processItem)
flags = PH_EMENU_DISABLED;
miscMenu = PhFindEMenuItem(menuInfo->Menu, 0, L"Miscellaneous", 0);
if (miscMenu)
{
PhInsertEMenuItem(miscMenu, PhPluginCreateEMenuItem(PluginInstance, flags, ID_PROCESS_UNLOADEDMODULES, L"Unloaded Modules", processItem), -1);
PhInsertEMenuItem(miscMenu, PhPluginCreateEMenuItem(PluginInstance, flags, ID_PROCESS_WSWATCH, L"WS Watch", processItem), -1);
}
}
VOID NTAPI MainMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
ULONG insertIndex;
PPH_EMENU_ITEM menuItem;
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
if (menuInfo->u.MainMenu.SubMenuIndex != PH_MENU_ITEM_LOCATION_VIEW)
return;
if (menuItem = PhFindEMenuItem(menuInfo->Menu, PH_EMENU_FIND_STARTSWITH, L"System Information", 0))
insertIndex = PhIndexOfEMenuItem(menuInfo->Menu, menuItem) + 1;
else
insertIndex = 0;
PhInsertEMenuItem(menuInfo->Menu, menuItem = PhPluginCreateEMenuItem(PluginInstance, 0, ID_VIEW_WINDOWS, L"Windows", NULL), insertIndex);
if (PhGetIntegerSetting(SETTING_NAME_SHOW_DESKTOP_WINDOWS))
{
insertIndex = PhIndexOfEMenuItem(menuInfo->Menu, menuItem) + 1;
PhInsertEMenuItem(menuInfo->Menu, PhPluginCreateEMenuItem(PluginInstance, 0, ID_VIEW_DESKTOPWINDOWS, L"Desktop Windows...", NULL), insertIndex);
}
}
VOID NTAPI NetworkMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = (PPH_PLUGIN_MENU_INFORMATION)Parameter;
PPH_NETWORK_ITEM networkItem;
PPH_EMENU_ITEM toolsMenu;
if (menuInfo->u.Network.NumberOfNetworkItems == 1)
networkItem = menuInfo->u.Network.NetworkItems[0];
else
networkItem = NULL;
// Create the Tools menu.
toolsMenu = PhPluginCreateEMenuItem(PluginInstance, 0, 0, L"Tools", NULL);
PhInsertEMenuItem(toolsMenu, PhPluginCreateEMenuItem(PluginInstance, 0, NETWORK_ACTION_PING, L"Ping", networkItem), -1);
PhInsertEMenuItem(toolsMenu, PhPluginCreateEMenuItem(PluginInstance, 0, NETWORK_ACTION_TRACEROUTE, L"Traceroute", networkItem), -1);
PhInsertEMenuItem(toolsMenu, PhPluginCreateEMenuItem(PluginInstance, 0, NETWORK_ACTION_WHOIS, L"Whois", networkItem), -1);
// Insert the Tools menu into the network menu.
PhInsertEMenuItem(menuInfo->Menu, toolsMenu, 1);
toolsMenu->Flags |= PH_EMENU_DISABLED;
if (networkItem)
{
if (!PhIsNullIpAddress(&networkItem->RemoteEndpoint.Address))
{
toolsMenu->Flags &= ~PH_EMENU_DISABLED;
}
}
}
VOID NTAPI ServiceMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
PPH_SERVICE_ITEM serviceItem;
PPH_EMENU_ITEM sendToMenu;
if (menuInfo->u.Service.NumberOfServices == 1)
serviceItem = menuInfo->u.Service.Services[0];
else
serviceItem = NULL;
sendToMenu = PhPluginCreateEMenuItem(PluginInstance, 0, 0, L"Sen&d to", NULL);
PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_HYBRIDANALYSIS_UPLOAD_SERVICE, L"&hybrid-analysis.com", serviceItem ? serviceItem : NULL), ULONG_MAX);
PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_VIRUSTOTAL_UPLOAD_SERVICE, L"&virustotal.com", serviceItem ? serviceItem : NULL), ULONG_MAX);
PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_JOTTI_UPLOAD_SERVICE, L"virusscan.&jotti.org", serviceItem ? serviceItem : NULL), ULONG_MAX);
PhInsertEMenuItem(menuInfo->Menu, PhCreateEMenuSeparator(), ULONG_MAX);
PhInsertEMenuItem(menuInfo->Menu, sendToMenu, ULONG_MAX);
if (!serviceItem)
{
sendToMenu->Flags |= PH_EMENU_DISABLED;
}
}
PPH_EMENU_ITEM CreateSendToMenu(
__in PPH_EMENU_ITEM Parent,
__in PWSTR InsertAfter,
__in PPH_STRING FileName
)
{
PPH_EMENU_ITEM sendToMenu;
PPH_EMENU_ITEM menuItem;
ULONG insertIndex;
// Create the Send To menu.
sendToMenu = PhPluginCreateEMenuItem(PluginInstance, 0, 0, L"Send To", NULL);
PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, ID_SENDTO_SERVICE1, L"virustotal.com", FileName), -1);
PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, ID_SENDTO_SERVICE2, L"virusscan.jotti.org", FileName), -1);
PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, ID_SENDTO_SERVICE3, L"camas.comodo.com", FileName), -1);
menuItem = PhFindEMenuItem(Parent, PH_EMENU_FIND_STARTSWITH, InsertAfter, 0);
if (menuItem)
insertIndex = PhIndexOfEMenuItem(Parent, menuItem);
else
insertIndex = -1;
PhInsertEMenuItem(Parent, sendToMenu, insertIndex + 1);
return sendToMenu;
}
VOID NTAPI MainMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
PPH_EMENU_ITEM systemMenu;
PPH_EMENU_ITEM bootMenuItem;
if (menuInfo->u.MainMenu.SubMenuIndex != PH_MENU_ITEM_LOCATION_TOOLS)
return;
if (!(systemMenu = PhFindEMenuItem(menuInfo->Menu, 0, L"System", 0)))
{
PhInsertEMenuItem(menuInfo->Menu, PhCreateEMenuSeparator(), -1);
PhInsertEMenuItem(menuInfo->Menu, systemMenu = PhPluginCreateEMenuItem(PluginInstance, 0, 0, L"&System", NULL), -1);
}
PhInsertEMenuItem(systemMenu, bootMenuItem = PhPluginCreateEMenuItem(PluginInstance, 0, BOOT_ENTRIES_MENUITEM, L"Firm&ware Table", NULL), -1);
if (!PhGetOwnTokenAttributes().Elevated)
{
bootMenuItem->Flags |= PH_EMENU_DISABLED;
}
}
PPH_EMENU_ITEM CreateSendToMenu(
_In_ BOOLEAN ProcessesMenu,
_In_ PPH_EMENU_ITEM Parent,
_In_ PPH_STRING FileName
)
{
PPH_EMENU_ITEM sendToMenu;
PPH_EMENU_ITEM menuItem;
ULONG insertIndex;
sendToMenu = PhPluginCreateEMenuItem(PluginInstance, 0, 0, L"Sen&d to", NULL);
PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_HYBRIDANALYSIS_UPLOAD, L"&hybrid-analysis.com", FileName), ULONG_MAX);
PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_VIRUSTOTAL_UPLOAD, L"&virustotal.com", FileName), ULONG_MAX);
PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_JOTTI_UPLOAD, L"virusscan.&jotti.org", FileName), ULONG_MAX);
if (ProcessesMenu && (menuItem = PhFindEMenuItem(Parent, PH_EMENU_FIND_STARTSWITH, L"Search online", 0)))
{
insertIndex = PhIndexOfEMenuItem(Parent, menuItem);
PhInsertEMenuItem(Parent, sendToMenu, insertIndex + 1);
PhInsertEMenuItem(Parent, PhCreateEMenuSeparator(), insertIndex + 2);
}
else
{
PhInsertEMenuItem(Parent, PhCreateEMenuSeparator(), ULONG_MAX);
PhInsertEMenuItem(Parent, sendToMenu, ULONG_MAX);
}
return sendToMenu;
}
VOID NTAPI MainMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
if (!SbieDll_KillAll)
return;
if (menuInfo->u.MainMenu.SubMenuIndex != PH_MENU_ITEM_LOCATION_TOOLS)
return;
PhInsertEMenuItem(menuInfo->Menu, PhPluginCreateEMenuItem(PluginInstance, PH_EMENU_SEPARATOR, 0, NULL, NULL), -1);
PhInsertEMenuItem(menuInfo->Menu, PhPluginCreateEMenuItem(PluginInstance, 0, 1, L"Terminate Sandboxed Processes", NULL), -1);
}
VOID NTAPI ThreadMenuInitializingCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
PPH_THREAD_ITEM threadItem;
ULONG insertIndex;
PPH_EMENU_ITEM menuItem;
if (menuInfo->u.Thread.NumberOfThreads == 1)
threadItem = menuInfo->u.Thread.Threads[0];
else
threadItem = NULL;
if (menuItem = PhFindEMenuItem(menuInfo->Menu, 0, L"Resume", 0))
insertIndex = PhIndexOfEMenuItem(menuInfo->Menu, menuItem) + 1;
else
insertIndex = 0;
PhInsertEMenuItem(menuInfo->Menu, menuItem = PhPluginCreateEMenuItem(PluginInstance, 0, ID_THREAD_CANCELIO,
L"Cancel I/O", threadItem), insertIndex);
if (!threadItem) menuItem->Flags |= PH_EMENU_DISABLED;
}
VOID NTAPI MainMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
PPH_EMENU_ITEM systemMenu;
if (menuInfo->u.MainMenu.SubMenuIndex != PH_MENU_ITEM_LOCATION_TOOLS)
return;
if (!(systemMenu = PhFindEMenuItem(menuInfo->Menu, 0, L"System", 0)))
{
PhInsertEMenuItem(menuInfo->Menu, PhCreateEMenuSeparator(), -1);
PhInsertEMenuItem(menuInfo->Menu, systemMenu = PhPluginCreateEMenuItem(PluginInstance, 0, 0, L"&System", NULL), -1);
}
PhInsertEMenuItem(systemMenu, PhPluginCreateEMenuItem(PluginInstance, 0, DNSCACHE_MENUITEM, L"&DNS Cache Table", NULL), -1);
}
static VOID NTAPI MainMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
if (menuInfo->u.MainMenu.SubMenuIndex != PH_MENU_ITEM_LOCATION_TOOLS)
return;
PhInsertEMenuItem(menuInfo->Menu, PhPluginCreateEMenuItem(PluginInstance, 0, BOOT_ENTRIES_MENUITEM, L"Boot Entries", NULL), -1);
}
static VOID NTAPI MainMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
if (menuInfo->u.MainMenu.SubMenuIndex != PH_MENU_ITEM_LOCATION_TOOLS)
return;
PhInsertEMenuItem(menuInfo->Menu, PhPluginCreateEMenuItem(PluginInstance, 0, ATOM_TABLE_MENUITEM, L"Global Atom Table", NULL), -1);
}
static VOID NTAPI MainMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
// Check this menu is the Help menu
if (!menuInfo || menuInfo->u.MainMenu.SubMenuIndex != 4)
return;
PhInsertEMenuItem(menuInfo->Menu, PhPluginCreateEMenuItem(PluginInstance, 0, UPDATE_MENUITEM, L"Check for Updates", NULL), 0);
}
VOID NTAPI MainMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_EMENU_ITEM onlineMenuItem;
PPH_EMENU_ITEM enableMenuItem;
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
if (menuInfo->u.MainMenu.SubMenuIndex != PH_MENU_ITEM_LOCATION_TOOLS)
return;
onlineMenuItem = PhPluginCreateEMenuItem(PluginInstance, 0, 0, L"&Online Checks", NULL);
PhInsertEMenuItem(onlineMenuItem, enableMenuItem = PhPluginCreateEMenuItem(PluginInstance, 0, ENABLE_SERVICE_VIRUSTOTAL, L"&Enable VirusTotal scanning", NULL), ULONG_MAX);
PhInsertEMenuItem(onlineMenuItem, PhCreateEMenuSeparator(), ULONG_MAX);
PhInsertEMenuItem(onlineMenuItem, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_HYBRIDANALYSIS_UPLOAD_FILE, L"Upload file to &Hybrid-Analysis...", NULL), ULONG_MAX);
PhInsertEMenuItem(onlineMenuItem, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_VIRUSTOTAL_UPLOAD_FILE, L"&Upload file to VirusTotal...", NULL), ULONG_MAX);
//PhInsertEMenuItem(onlineMenuItem, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_VIRUSTOTAL_QUEUE, L"Upload unknown files to VirusTotal...", NULL), ULONG_MAX);
PhInsertEMenuItem(menuInfo->Menu, onlineMenuItem, ULONG_MAX);
if (VirusTotalScanningEnabled)
enableMenuItem->Flags |= PH_EMENU_CHECKED;
}
VOID NTAPI MainMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
PPH_EMENU_ITEM liveDumpMenu;
if (menuInfo->u.MainMenu.SubMenuIndex != PH_MENU_ITEM_LOCATION_TOOLS)
return;
PhInsertEMenuItem(menuInfo->Menu, liveDumpMenu = PhPluginCreateEMenuItem(PluginInstance, 0, PLUGIN_MENU_ITEM, L"&Live kernel dump...", NULL), -1);
if (WindowsVersion < WINDOWS_8_1 || !PhGetOwnTokenAttributes().Elevated)
{
liveDumpMenu->Flags |= PH_EMENU_DISABLED;
}
}
VOID NTAPI ModuleMenuInitializingCallback(
__in_opt PVOID Parameter,
__in_opt PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
PPH_PROCESS_ITEM processItem;
BOOLEAN addMenuItem;
PPH_MODULE_ITEM moduleItem;
ULONG insertIndex;
PPH_EMENU_ITEM menuItem;
addMenuItem = FALSE;
if (processItem = PhReferenceProcessItem(menuInfo->u.Module.ProcessId))
{
if (processItem->ServiceList && processItem->ServiceList->Count != 0)
addMenuItem = TRUE;
PhDereferenceObject(processItem);
}
if (!addMenuItem)
return;
if (menuInfo->u.Module.NumberOfModules == 1)
moduleItem = menuInfo->u.Module.Modules[0];
else
moduleItem = NULL;
if (menuItem = PhFindEMenuItem(menuInfo->Menu, 0, L"Inspect", 0))
insertIndex = PhIndexOfEMenuItem(menuInfo->Menu, menuItem) + 1;
else
insertIndex = 0;
ModuleProcessId = menuInfo->u.Module.ProcessId;
PhInsertEMenuItem(menuInfo->Menu, menuItem = PhPluginCreateEMenuItem(PluginInstance, 0, ID_MODULE_SERVICES,
L"Services", moduleItem), insertIndex);
if (!moduleItem) menuItem->Flags |= PH_EMENU_DISABLED;
}
VOID NTAPI ProcessMenuInitializingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
PPH_PLUGIN_MENU_INFORMATION menuInfo = Parameter;
PPH_EMENU_ITEM miscMenuItem;
PPH_EMENU_ITEM criticalMenuItem;
PPH_PROCESS_ITEM processItem;
miscMenuItem = PhFindEMenuItem(menuInfo->Menu, 0, L"Miscellaneous", 0);
if (!miscMenuItem)
return;
processItem = menuInfo->u.Process.NumberOfProcesses == 1 ? menuInfo->u.Process.Processes[0] : NULL;
criticalMenuItem = PhPluginCreateEMenuItem(PluginInstance, 0, CRITICAL_MENU_ITEM, L"&Critical", processItem);
PhInsertEMenuItem(miscMenuItem, criticalMenuItem, -1);
if (processItem)
{
HANDLE processHandle;
ULONG breakOnTermination;
if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_INFORMATION, processItem->ProcessId)))
{
if (NT_SUCCESS(NtQueryInformationProcess(processHandle, ProcessBreakOnTermination, &breakOnTermination, sizeof(ULONG), NULL)))
{
if (breakOnTermination)
criticalMenuItem->Flags |= PH_EMENU_CHECKED;
}
NtClose(processHandle);
}
}
else
{
criticalMenuItem->Flags |= PH_EMENU_DISABLED;
}
}
