PPH_SERVICE_ITEM PhCreateServiceItem(
_In_opt_ LPENUM_SERVICE_STATUS_PROCESS Information
)
{
PPH_SERVICE_ITEM serviceItem;
serviceItem = PhCreateObject(
PhEmGetObjectSize(EmServiceItemType, sizeof(PH_SERVICE_ITEM)),
PhServiceItemType
);
memset(serviceItem, 0, sizeof(PH_SERVICE_ITEM));
if (Information)
{
serviceItem->Name = PhCreateString(Information->lpServiceName);
serviceItem->Key = serviceItem->Name->sr;
serviceItem->DisplayName = PhCreateString(Information->lpDisplayName);
serviceItem->Type = Information->ServiceStatusProcess.dwServiceType;
serviceItem->State = Information->ServiceStatusProcess.dwCurrentState;
serviceItem->ControlsAccepted = Information->ServiceStatusProcess.dwControlsAccepted;
serviceItem->Flags = Information->ServiceStatusProcess.dwServiceFlags;
serviceItem->ProcessId = UlongToHandle(Information->ServiceStatusProcess.dwProcessId);
if (serviceItem->ProcessId)
PhPrintUInt32(serviceItem->ProcessIdString, HandleToUlong(serviceItem->ProcessId));
}
PhEmCallObjectOperation(EmServiceItemType, serviceItem, EmObjectCreate);
return serviceItem;
}
PPH_HANDLE_ITEM PhCreateHandleItem(
_In_opt_ PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handle
)
{
PPH_HANDLE_ITEM handleItem;
handleItem = PhCreateObject(
PhEmGetObjectSize(EmHandleItemType, sizeof(PH_HANDLE_ITEM)),
PhHandleItemType
);
memset(handleItem, 0, sizeof(PH_HANDLE_ITEM));
if (Handle)
{
handleItem->Handle = (HANDLE)Handle->HandleValue;
PhPrintPointer(handleItem->HandleString, (PVOID)handleItem->Handle);
handleItem->Object = Handle->Object;
PhPrintPointer(handleItem->ObjectString, handleItem->Object);
handleItem->Attributes = Handle->HandleAttributes;
handleItem->GrantedAccess = (ACCESS_MASK)Handle->GrantedAccess;
PhPrintPointer(handleItem->GrantedAccessString, UlongToPtr(handleItem->GrantedAccess));
}
PhEmCallObjectOperation(EmHandleItemType, handleItem, EmObjectCreate);
return handleItem;
}
PPH_MODULE_PROVIDER PhCreateModuleProvider(
__in HANDLE ProcessId
)
{
PPH_MODULE_PROVIDER moduleProvider;
if (!NT_SUCCESS(PhCreateObject(
&moduleProvider,
sizeof(PH_MODULE_PROVIDER),
0,
PhModuleProviderType
)))
return NULL;
moduleProvider->ModuleHashtable = PhCreateHashtable(
sizeof(PPH_MODULE_ITEM),
PhpModuleHashtableCompareFunction,
PhpModuleHashtableHashFunction,
20
);
PhInitializeFastLock(&moduleProvider->ModuleHashtableLock);
PhInitializeCallback(&moduleProvider->ModuleAddedEvent);
PhInitializeCallback(&moduleProvider->ModuleModifiedEvent);
PhInitializeCallback(&moduleProvider->ModuleRemovedEvent);
PhInitializeCallback(&moduleProvider->UpdatedEvent);
moduleProvider->ProcessId = ProcessId;
moduleProvider->ProcessHandle = NULL;
// It doesn't matter if we can't get a process handle.
// Try to get a handle with query information + vm read access.
if (!NT_SUCCESS(PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
ProcessId
)))
{
if (WINDOWS_HAS_LIMITED_ACCESS)
{
// Try to get a handle with query limited information + vm read access.
PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ,
ProcessId
);
}
}
RtlInitializeSListHead(&moduleProvider->QueryListHead);
return moduleProvider;
}
PET_DISK_ITEM EtCreateDiskItem(
VOID
)
{
PET_DISK_ITEM diskItem;
diskItem = PhCreateObject(sizeof(ET_DISK_ITEM), EtDiskItemType);
memset(diskItem, 0, sizeof(ET_DISK_ITEM));
return diskItem;
}
/**
* Creates a reference-counted memory block.
*
* \param Alloc A variable which receives a pointer to the
* memory block.
* \param Size The number of bytes to allocate.
*/
NTSTATUS PhCreateAlloc(
__out PVOID *Alloc,
__in SIZE_T Size
)
{
return PhCreateObject(
Alloc,
Size,
0,
PhAllocType
);
}
/**
* Creates an object type.
*
* \param ObjectType A variable which receives a pointer to the newly
* created object type.
* \param Name The name of the type.
* \param Flags A combination of flags affecting the behaviour of the
* object type.
* \param DeleteProcedure A callback function that is executed when
* an object of this type is about to be freed (i.e. when its
* reference count is 0).
* \param Parameters A structure containing additional parameters
* for the object type.
*
* \remarks Do not reference or dereference the object type once it
* is created.
*/
NTSTATUS PhCreateObjectTypeEx(
__out PPH_OBJECT_TYPE *ObjectType,
__in PWSTR Name,
__in ULONG Flags,
__in_opt PPH_TYPE_DELETE_PROCEDURE DeleteProcedure,
__in_opt PPH_OBJECT_TYPE_PARAMETERS Parameters
)
{
NTSTATUS status = STATUS_SUCCESS;
PPH_OBJECT_TYPE objectType;
/* Check the flags. */
if ((Flags & PHOBJTYPE_VALID_FLAGS) != Flags) /* Valid flag mask */
return STATUS_INVALID_PARAMETER_3;
if ((Flags & PHOBJTYPE_USE_FREE_LIST) && !Parameters)
return STATUS_INVALID_PARAMETER_MIX;
/* Create the type object. */
status = PhCreateObject(
&objectType,
sizeof(PH_OBJECT_TYPE),
0,
PhObjectTypeObject
);
if (!NT_SUCCESS(status))
return status;
/* Initialize the type object. */
objectType->Flags = Flags;
objectType->DeleteProcedure = DeleteProcedure;
objectType->Name = Name;
objectType->NumberOfObjects = 0;
if (Parameters)
{
if (Flags & PHOBJTYPE_USE_FREE_LIST)
{
PhInitializeFreeList(
&objectType->FreeList,
PhpAddObjectHeaderSize(Parameters->FreeListSize),
Parameters->FreeListCount
);
}
}
*ObjectType = objectType;
return status;
}
PPH_THREAD_PROVIDER PhCreateThreadProvider(
__in HANDLE ProcessId
)
{
PPH_THREAD_PROVIDER threadProvider;
if (!NT_SUCCESS(PhCreateObject(
&threadProvider,
sizeof(PH_THREAD_PROVIDER),
0,
PhThreadProviderType
)))
return NULL;
threadProvider->ThreadHashtable = PhCreateHashtable(
sizeof(PPH_THREAD_ITEM),
PhpThreadHashtableCompareFunction,
PhpThreadHashtableHashFunction,
20
);
PhInitializeFastLock(&threadProvider->ThreadHashtableLock);
PhInitializeCallback(&threadProvider->ThreadAddedEvent);
PhInitializeCallback(&threadProvider->ThreadModifiedEvent);
PhInitializeCallback(&threadProvider->ThreadRemovedEvent);
PhInitializeCallback(&threadProvider->UpdatedEvent);
PhInitializeCallback(&threadProvider->LoadingStateChangedEvent);
threadProvider->ProcessId = ProcessId;
threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId);
if (threadProvider->SymbolProvider)
{
if (threadProvider->SymbolProvider->IsRealHandle)
threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle;
}
PhInitializeEvent(&threadProvider->SymbolsLoadedEvent);
threadProvider->SymbolsLoading = 0;
RtlInitializeSListHead(&threadProvider->QueryListHead);
threadProvider->RunId = 1;
// Begin loading symbols for the process' modules.
PhReferenceObject(threadProvider);
PhpQueueThreadWorkQueueItem(PhpThreadProviderLoadSymbols, threadProvider);
return threadProvider;
}
PPH_MODULE_ITEM PhCreateModuleItem(
VOID
)
{
PPH_MODULE_ITEM moduleItem;
moduleItem = PhCreateObject(
PhEmGetObjectSize(EmModuleItemType, sizeof(PH_MODULE_ITEM)),
PhModuleItemType
);
memset(moduleItem, 0, sizeof(PH_MODULE_ITEM));
PhEmCallObjectOperation(EmModuleItemType, moduleItem, EmObjectCreate);
return moduleItem;
}
PPH_THREAD_PROVIDER PhCreateThreadProvider(
_In_ HANDLE ProcessId
)
{
PPH_THREAD_PROVIDER threadProvider;
threadProvider = PhCreateObject(
PhEmGetObjectSize(EmThreadProviderType, sizeof(PH_THREAD_PROVIDER)),
PhThreadProviderType
);
memset(threadProvider, 0, sizeof(PH_THREAD_PROVIDER));
threadProvider->ThreadHashtable = PhCreateHashtable(
sizeof(PPH_THREAD_ITEM),
PhpThreadHashtableEqualFunction,
PhpThreadHashtableHashFunction,
20
);
PhInitializeFastLock(&threadProvider->ThreadHashtableLock);
PhInitializeCallback(&threadProvider->ThreadAddedEvent);
PhInitializeCallback(&threadProvider->ThreadModifiedEvent);
PhInitializeCallback(&threadProvider->ThreadRemovedEvent);
PhInitializeCallback(&threadProvider->UpdatedEvent);
PhInitializeCallback(&threadProvider->LoadingStateChangedEvent);
threadProvider->ProcessId = ProcessId;
threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId);
if (threadProvider->SymbolProvider)
{
if (threadProvider->SymbolProvider->IsRealHandle)
threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle;
}
RtlInitializeSListHead(&threadProvider->QueryListHead);
PhInitializeQueuedLock(&threadProvider->LoadSymbolsLock);
threadProvider->RunId = 1;
threadProvider->SymbolsLoadedRunId = 0; // Force symbols to be loaded the first time we try to resolve an address
PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectCreate);
return threadProvider;
}
PPH_THREAD_ITEM PhCreateThreadItem(
_In_ HANDLE ThreadId
)
{
PPH_THREAD_ITEM threadItem;
threadItem = PhCreateObject(
PhEmGetObjectSize(EmThreadItemType, sizeof(PH_THREAD_ITEM)),
PhThreadItemType
);
memset(threadItem, 0, sizeof(PH_THREAD_ITEM));
threadItem->ThreadId = ThreadId;
PhPrintUInt32(threadItem->ThreadIdString, HandleToUlong(ThreadId));
PhEmCallObjectOperation(EmThreadItemType, threadItem, EmObjectCreate);
return threadItem;
}
PET_DISK_ITEM EtCreateDiskItem(
VOID
)
{
PET_DISK_ITEM diskItem;
if (!NT_SUCCESS(PhCreateObject(
&diskItem,
sizeof(ET_DISK_ITEM),
0,
EtDiskItemType
)))
return NULL;
memset(diskItem, 0, sizeof(ET_DISK_ITEM));
return diskItem;
}
PPH_MODULE_ITEM PhCreateModuleItem(
VOID
)
{
PPH_MODULE_ITEM moduleItem;
if (!NT_SUCCESS(PhCreateObject(
&moduleItem,
PhEmGetObjectSize(EmModuleItemType, sizeof(PH_MODULE_ITEM)),
0,
PhModuleItemType
)))
return NULL;
memset(moduleItem, 0, sizeof(PH_MODULE_ITEM));
PhEmCallObjectOperation(EmModuleItemType, moduleItem, EmObjectCreate);
return moduleItem;
}
PDV_NETADAPTER_ENTRY CreateNetAdapterEntry(
_In_ PDV_NETADAPTER_ID Id
)
{
PDV_NETADAPTER_ENTRY entry;
entry = PhCreateObject(sizeof(DV_NETADAPTER_ENTRY), NetAdapterEntryType);
memset(entry, 0, sizeof(DV_NETADAPTER_ENTRY));
CopyNetAdapterId(&entry->Id, Id);
PhInitializeCircularBuffer_ULONG64(&entry->InboundBuffer, PhGetIntegerSetting(L"SampleCount"));
PhInitializeCircularBuffer_ULONG64(&entry->OutboundBuffer, PhGetIntegerSetting(L"SampleCount"));
PhAcquireQueuedLockExclusive(&NetworkAdaptersListLock);
PhAddItemList(NetworkAdaptersList, entry);
PhReleaseQueuedLockExclusive(&NetworkAdaptersListLock);
return entry;
}
PDV_DISK_ENTRY CreateDiskEntry(
_In_ PDV_DISK_ID Id
)
{
PDV_DISK_ENTRY entry;
entry = PhCreateObject(sizeof(DV_DISK_ENTRY), DiskDriveEntryType);
memset(entry, 0, sizeof(DV_DISK_ENTRY));
entry->DiskIndex = ULONG_MAX;
CopyDiskId(&entry->Id, Id);
PhInitializeCircularBuffer_ULONG64(&entry->ReadBuffer, PhGetIntegerSetting(L"SampleCount"));
PhInitializeCircularBuffer_ULONG64(&entry->WriteBuffer, PhGetIntegerSetting(L"SampleCount"));
PhAcquireQueuedLockExclusive(&DiskDrivesListLock);
PhAddItemList(DiskDrivesList, entry);
PhReleaseQueuedLockExclusive(&DiskDrivesListLock);
return entry;
}
PPH_THREAD_ITEM PhCreateThreadItem(
__in HANDLE ThreadId
)
{
PPH_THREAD_ITEM threadItem;
if (!NT_SUCCESS(PhCreateObject(
&threadItem,
PhEmGetObjectSize(EmThreadItemType, sizeof(PH_THREAD_ITEM)),
0,
PhThreadItemType
)))
return NULL;
memset(threadItem, 0, sizeof(PH_THREAD_ITEM));
threadItem->ThreadId = ThreadId;
PhPrintUInt32(threadItem->ThreadIdString, (ULONG)ThreadId);
PhEmCallObjectOperation(EmThreadItemType, threadItem, EmObjectCreate);
return threadItem;
}
PPH_HANDLE_PROVIDER PhCreateHandleProvider(
__in HANDLE ProcessId
)
{
PPH_HANDLE_PROVIDER handleProvider;
if (!NT_SUCCESS(PhCreateObject(
&handleProvider,
sizeof(PH_HANDLE_PROVIDER),
0,
PhHandleProviderType
)))
return NULL;
handleProvider->HandleHashSetSize = 128;
handleProvider->HandleHashSet = PhCreateHashSet(handleProvider->HandleHashSetSize);
handleProvider->HandleHashSetCount = 0;
PhInitializeQueuedLock(&handleProvider->HandleHashSetLock);
PhInitializeCallback(&handleProvider->HandleAddedEvent);
PhInitializeCallback(&handleProvider->HandleModifiedEvent);
PhInitializeCallback(&handleProvider->HandleRemovedEvent);
PhInitializeCallback(&handleProvider->UpdatedEvent);
handleProvider->ProcessId = ProcessId;
handleProvider->ProcessHandle = NULL;
PhOpenProcess(
&handleProvider->ProcessHandle,
PROCESS_DUP_HANDLE,
ProcessId
);
handleProvider->TempListHashtable = PhCreateSimpleHashtable(20);
return handleProvider;
}
PPH_HANDLE_PROVIDER PhCreateHandleProvider(
_In_ HANDLE ProcessId
)
{
PPH_HANDLE_PROVIDER handleProvider;
handleProvider = PhCreateObject(
PhEmGetObjectSize(EmHandleProviderType, sizeof(PH_HANDLE_PROVIDER)),
PhHandleProviderType
);
handleProvider->HandleHashSetSize = 128;
handleProvider->HandleHashSet = PhCreateHashSet(handleProvider->HandleHashSetSize);
handleProvider->HandleHashSetCount = 0;
PhInitializeQueuedLock(&handleProvider->HandleHashSetLock);
PhInitializeCallback(&handleProvider->HandleAddedEvent);
PhInitializeCallback(&handleProvider->HandleModifiedEvent);
PhInitializeCallback(&handleProvider->HandleRemovedEvent);
PhInitializeCallback(&handleProvider->UpdatedEvent);
handleProvider->ProcessId = ProcessId;
handleProvider->ProcessHandle = NULL;
handleProvider->RunStatus = PhOpenProcess(
&handleProvider->ProcessHandle,
PROCESS_DUP_HANDLE,
ProcessId
);
handleProvider->TempListHashtable = PhCreateSimpleHashtable(20);
PhEmCallObjectOperation(EmHandleProviderType, handleProvider, EmObjectCreate);
return handleProvider;
}
PPH_SYMBOL_PROVIDER PhCreateSymbolProvider(
_In_opt_ HANDLE ProcessId
)
{
PPH_SYMBOL_PROVIDER symbolProvider;
if (!NT_SUCCESS(PhCreateObject(
&symbolProvider,
sizeof(PH_SYMBOL_PROVIDER),
0,
PhSymbolProviderType
)))
return NULL;
InitializeListHead(&symbolProvider->ModulesListHead);
PhInitializeQueuedLock(&symbolProvider->ModulesListLock);
PhInitializeAvlTree(&symbolProvider->ModulesSet, PhpSymbolModuleCompareFunction);
PhInitializeCallback(&symbolProvider->EventCallback);
if (ProcessId)
{
static ACCESS_MASK accesses[] =
{
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff, // pre-Vista full access
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_DUP_HANDLE,
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
MAXIMUM_ALLOWED
};
ULONG i;
symbolProvider->IsRealHandle = FALSE;
// Try to open the process with many different accesses.
// This handle will be re-used when walking stacks, and doing
// various other things.
for (i = 0; i < sizeof(accesses) / sizeof(ACCESS_MASK); i++)
{
if (NT_SUCCESS(PhOpenProcess(&symbolProvider->ProcessHandle, accesses[i], ProcessId)))
{
symbolProvider->IsRealHandle = TRUE;
break;
}
}
}
else
{
symbolProvider->IsRealHandle = FALSE;
}
if (!symbolProvider->IsRealHandle)
{
HANDLE fakeHandle;
// Just generate a fake handle.
fakeHandle = (HANDLE)_InterlockedExchangeAddPointer((PLONG_PTR)&PhNextFakeHandle, 4);
// Add one to make sure it isn't divisible
// by 4 (so it can't be mistaken for a real
// handle).
fakeHandle = (HANDLE)((ULONG_PTR)fakeHandle + 1);
symbolProvider->ProcessHandle = fakeHandle;
}
symbolProvider->IsRegistered = FALSE;
#ifdef PH_SYMBOL_PROVIDER_DELAY_INIT
PhInitializeInitOnce(&symbolProvider->InitOnce);
#else
PhpRegisterSymbolProvider(symbolProvider);
#endif
return symbolProvider;
}
PPH_MODULE_PROVIDER PhCreateModuleProvider(
_In_ HANDLE ProcessId
)
{
NTSTATUS status;
PPH_MODULE_PROVIDER moduleProvider;
moduleProvider = PhCreateObject(
PhEmGetObjectSize(EmModuleProviderType, sizeof(PH_MODULE_PROVIDER)),
PhModuleProviderType
);
moduleProvider->ModuleHashtable = PhCreateHashtable(
sizeof(PPH_MODULE_ITEM),
PhpModuleHashtableEqualFunction,
PhpModuleHashtableHashFunction,
20
);
PhInitializeFastLock(&moduleProvider->ModuleHashtableLock);
PhInitializeCallback(&moduleProvider->ModuleAddedEvent);
PhInitializeCallback(&moduleProvider->ModuleModifiedEvent);
PhInitializeCallback(&moduleProvider->ModuleRemovedEvent);
PhInitializeCallback(&moduleProvider->UpdatedEvent);
moduleProvider->ProcessId = ProcessId;
moduleProvider->ProcessHandle = NULL;
moduleProvider->PackageFullName = NULL;
moduleProvider->RunStatus = STATUS_SUCCESS;
// It doesn't matter if we can't get a process handle.
// Try to get a handle with query information + vm read access.
if (!NT_SUCCESS(status = PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
ProcessId
)))
{
if (WINDOWS_HAS_LIMITED_ACCESS)
{
// Try to get a handle with query limited information + vm read access.
status = PhOpenProcess(
&moduleProvider->ProcessHandle,
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ,
ProcessId
);
}
moduleProvider->RunStatus = status;
}
if (moduleProvider->ProcessHandle)
moduleProvider->PackageFullName = PhGetProcessPackageFullName(moduleProvider->ProcessHandle);
RtlInitializeSListHead(&moduleProvider->QueryListHead);
PhEmCallObjectOperation(EmModuleProviderType, moduleProvider, EmObjectCreate);
return moduleProvider;
}
