PPH_SERVICE_ITEM PhCreateServiceItem( _In_opt_ LPENUM_SERVICE_STATUS_PROCESS Information ) { PPH_SERVICE_ITEM serviceItem; serviceItem = PhCreateObject( PhEmGetObjectSize(EmServiceItemType, sizeof(PH_SERVICE_ITEM)), PhServiceItemType ); memset(serviceItem, 0, sizeof(PH_SERVICE_ITEM)); if (Information) { serviceItem->Name = PhCreateString(Information->lpServiceName); serviceItem->Key = serviceItem->Name->sr; serviceItem->DisplayName = PhCreateString(Information->lpDisplayName); serviceItem->Type = Information->ServiceStatusProcess.dwServiceType; serviceItem->State = Information->ServiceStatusProcess.dwCurrentState; serviceItem->ControlsAccepted = Information->ServiceStatusProcess.dwControlsAccepted; serviceItem->Flags = Information->ServiceStatusProcess.dwServiceFlags; serviceItem->ProcessId = UlongToHandle(Information->ServiceStatusProcess.dwProcessId); if (serviceItem->ProcessId) PhPrintUInt32(serviceItem->ProcessIdString, HandleToUlong(serviceItem->ProcessId)); } PhEmCallObjectOperation(EmServiceItemType, serviceItem, EmObjectCreate); return serviceItem; }
PPH_HANDLE_ITEM PhCreateHandleItem( _In_opt_ PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handle ) { PPH_HANDLE_ITEM handleItem; handleItem = PhCreateObject( PhEmGetObjectSize(EmHandleItemType, sizeof(PH_HANDLE_ITEM)), PhHandleItemType ); memset(handleItem, 0, sizeof(PH_HANDLE_ITEM)); if (Handle) { handleItem->Handle = (HANDLE)Handle->HandleValue; PhPrintPointer(handleItem->HandleString, (PVOID)handleItem->Handle); handleItem->Object = Handle->Object; PhPrintPointer(handleItem->ObjectString, handleItem->Object); handleItem->Attributes = Handle->HandleAttributes; handleItem->GrantedAccess = (ACCESS_MASK)Handle->GrantedAccess; PhPrintPointer(handleItem->GrantedAccessString, UlongToPtr(handleItem->GrantedAccess)); } PhEmCallObjectOperation(EmHandleItemType, handleItem, EmObjectCreate); return handleItem; }
PPH_MODULE_PROVIDER PhCreateModuleProvider( __in HANDLE ProcessId ) { PPH_MODULE_PROVIDER moduleProvider; if (!NT_SUCCESS(PhCreateObject( &moduleProvider, sizeof(PH_MODULE_PROVIDER), 0, PhModuleProviderType ))) return NULL; moduleProvider->ModuleHashtable = PhCreateHashtable( sizeof(PPH_MODULE_ITEM), PhpModuleHashtableCompareFunction, PhpModuleHashtableHashFunction, 20 ); PhInitializeFastLock(&moduleProvider->ModuleHashtableLock); PhInitializeCallback(&moduleProvider->ModuleAddedEvent); PhInitializeCallback(&moduleProvider->ModuleModifiedEvent); PhInitializeCallback(&moduleProvider->ModuleRemovedEvent); PhInitializeCallback(&moduleProvider->UpdatedEvent); moduleProvider->ProcessId = ProcessId; moduleProvider->ProcessHandle = NULL; // It doesn't matter if we can't get a process handle. // Try to get a handle with query information + vm read access. if (!NT_SUCCESS(PhOpenProcess( &moduleProvider->ProcessHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessId ))) { if (WINDOWS_HAS_LIMITED_ACCESS) { // Try to get a handle with query limited information + vm read access. PhOpenProcess( &moduleProvider->ProcessHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessId ); } } RtlInitializeSListHead(&moduleProvider->QueryListHead); return moduleProvider; }
PET_DISK_ITEM EtCreateDiskItem( VOID ) { PET_DISK_ITEM diskItem; diskItem = PhCreateObject(sizeof(ET_DISK_ITEM), EtDiskItemType); memset(diskItem, 0, sizeof(ET_DISK_ITEM)); return diskItem; }
/** * Creates a reference-counted memory block. * * \param Alloc A variable which receives a pointer to the * memory block. * \param Size The number of bytes to allocate. */ NTSTATUS PhCreateAlloc( __out PVOID *Alloc, __in SIZE_T Size ) { return PhCreateObject( Alloc, Size, 0, PhAllocType ); }
/** * Creates an object type. * * \param ObjectType A variable which receives a pointer to the newly * created object type. * \param Name The name of the type. * \param Flags A combination of flags affecting the behaviour of the * object type. * \param DeleteProcedure A callback function that is executed when * an object of this type is about to be freed (i.e. when its * reference count is 0). * \param Parameters A structure containing additional parameters * for the object type. * * \remarks Do not reference or dereference the object type once it * is created. */ NTSTATUS PhCreateObjectTypeEx( __out PPH_OBJECT_TYPE *ObjectType, __in PWSTR Name, __in ULONG Flags, __in_opt PPH_TYPE_DELETE_PROCEDURE DeleteProcedure, __in_opt PPH_OBJECT_TYPE_PARAMETERS Parameters ) { NTSTATUS status = STATUS_SUCCESS; PPH_OBJECT_TYPE objectType; /* Check the flags. */ if ((Flags & PHOBJTYPE_VALID_FLAGS) != Flags) /* Valid flag mask */ return STATUS_INVALID_PARAMETER_3; if ((Flags & PHOBJTYPE_USE_FREE_LIST) && !Parameters) return STATUS_INVALID_PARAMETER_MIX; /* Create the type object. */ status = PhCreateObject( &objectType, sizeof(PH_OBJECT_TYPE), 0, PhObjectTypeObject ); if (!NT_SUCCESS(status)) return status; /* Initialize the type object. */ objectType->Flags = Flags; objectType->DeleteProcedure = DeleteProcedure; objectType->Name = Name; objectType->NumberOfObjects = 0; if (Parameters) { if (Flags & PHOBJTYPE_USE_FREE_LIST) { PhInitializeFreeList( &objectType->FreeList, PhpAddObjectHeaderSize(Parameters->FreeListSize), Parameters->FreeListCount ); } } *ObjectType = objectType; return status; }
PPH_THREAD_PROVIDER PhCreateThreadProvider( __in HANDLE ProcessId ) { PPH_THREAD_PROVIDER threadProvider; if (!NT_SUCCESS(PhCreateObject( &threadProvider, sizeof(PH_THREAD_PROVIDER), 0, PhThreadProviderType ))) return NULL; threadProvider->ThreadHashtable = PhCreateHashtable( sizeof(PPH_THREAD_ITEM), PhpThreadHashtableCompareFunction, PhpThreadHashtableHashFunction, 20 ); PhInitializeFastLock(&threadProvider->ThreadHashtableLock); PhInitializeCallback(&threadProvider->ThreadAddedEvent); PhInitializeCallback(&threadProvider->ThreadModifiedEvent); PhInitializeCallback(&threadProvider->ThreadRemovedEvent); PhInitializeCallback(&threadProvider->UpdatedEvent); PhInitializeCallback(&threadProvider->LoadingStateChangedEvent); threadProvider->ProcessId = ProcessId; threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId); if (threadProvider->SymbolProvider) { if (threadProvider->SymbolProvider->IsRealHandle) threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle; } PhInitializeEvent(&threadProvider->SymbolsLoadedEvent); threadProvider->SymbolsLoading = 0; RtlInitializeSListHead(&threadProvider->QueryListHead); threadProvider->RunId = 1; // Begin loading symbols for the process' modules. PhReferenceObject(threadProvider); PhpQueueThreadWorkQueueItem(PhpThreadProviderLoadSymbols, threadProvider); return threadProvider; }
PPH_MODULE_ITEM PhCreateModuleItem( VOID ) { PPH_MODULE_ITEM moduleItem; moduleItem = PhCreateObject( PhEmGetObjectSize(EmModuleItemType, sizeof(PH_MODULE_ITEM)), PhModuleItemType ); memset(moduleItem, 0, sizeof(PH_MODULE_ITEM)); PhEmCallObjectOperation(EmModuleItemType, moduleItem, EmObjectCreate); return moduleItem; }
PPH_THREAD_PROVIDER PhCreateThreadProvider( _In_ HANDLE ProcessId ) { PPH_THREAD_PROVIDER threadProvider; threadProvider = PhCreateObject( PhEmGetObjectSize(EmThreadProviderType, sizeof(PH_THREAD_PROVIDER)), PhThreadProviderType ); memset(threadProvider, 0, sizeof(PH_THREAD_PROVIDER)); threadProvider->ThreadHashtable = PhCreateHashtable( sizeof(PPH_THREAD_ITEM), PhpThreadHashtableEqualFunction, PhpThreadHashtableHashFunction, 20 ); PhInitializeFastLock(&threadProvider->ThreadHashtableLock); PhInitializeCallback(&threadProvider->ThreadAddedEvent); PhInitializeCallback(&threadProvider->ThreadModifiedEvent); PhInitializeCallback(&threadProvider->ThreadRemovedEvent); PhInitializeCallback(&threadProvider->UpdatedEvent); PhInitializeCallback(&threadProvider->LoadingStateChangedEvent); threadProvider->ProcessId = ProcessId; threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId); if (threadProvider->SymbolProvider) { if (threadProvider->SymbolProvider->IsRealHandle) threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle; } RtlInitializeSListHead(&threadProvider->QueryListHead); PhInitializeQueuedLock(&threadProvider->LoadSymbolsLock); threadProvider->RunId = 1; threadProvider->SymbolsLoadedRunId = 0; // Force symbols to be loaded the first time we try to resolve an address PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectCreate); return threadProvider; }
PPH_THREAD_ITEM PhCreateThreadItem( _In_ HANDLE ThreadId ) { PPH_THREAD_ITEM threadItem; threadItem = PhCreateObject( PhEmGetObjectSize(EmThreadItemType, sizeof(PH_THREAD_ITEM)), PhThreadItemType ); memset(threadItem, 0, sizeof(PH_THREAD_ITEM)); threadItem->ThreadId = ThreadId; PhPrintUInt32(threadItem->ThreadIdString, HandleToUlong(ThreadId)); PhEmCallObjectOperation(EmThreadItemType, threadItem, EmObjectCreate); return threadItem; }
PET_DISK_ITEM EtCreateDiskItem( VOID ) { PET_DISK_ITEM diskItem; if (!NT_SUCCESS(PhCreateObject( &diskItem, sizeof(ET_DISK_ITEM), 0, EtDiskItemType ))) return NULL; memset(diskItem, 0, sizeof(ET_DISK_ITEM)); return diskItem; }
PPH_MODULE_ITEM PhCreateModuleItem( VOID ) { PPH_MODULE_ITEM moduleItem; if (!NT_SUCCESS(PhCreateObject( &moduleItem, PhEmGetObjectSize(EmModuleItemType, sizeof(PH_MODULE_ITEM)), 0, PhModuleItemType ))) return NULL; memset(moduleItem, 0, sizeof(PH_MODULE_ITEM)); PhEmCallObjectOperation(EmModuleItemType, moduleItem, EmObjectCreate); return moduleItem; }
PDV_NETADAPTER_ENTRY CreateNetAdapterEntry( _In_ PDV_NETADAPTER_ID Id ) { PDV_NETADAPTER_ENTRY entry; entry = PhCreateObject(sizeof(DV_NETADAPTER_ENTRY), NetAdapterEntryType); memset(entry, 0, sizeof(DV_NETADAPTER_ENTRY)); CopyNetAdapterId(&entry->Id, Id); PhInitializeCircularBuffer_ULONG64(&entry->InboundBuffer, PhGetIntegerSetting(L"SampleCount")); PhInitializeCircularBuffer_ULONG64(&entry->OutboundBuffer, PhGetIntegerSetting(L"SampleCount")); PhAcquireQueuedLockExclusive(&NetworkAdaptersListLock); PhAddItemList(NetworkAdaptersList, entry); PhReleaseQueuedLockExclusive(&NetworkAdaptersListLock); return entry; }
PDV_DISK_ENTRY CreateDiskEntry( _In_ PDV_DISK_ID Id ) { PDV_DISK_ENTRY entry; entry = PhCreateObject(sizeof(DV_DISK_ENTRY), DiskDriveEntryType); memset(entry, 0, sizeof(DV_DISK_ENTRY)); entry->DiskIndex = ULONG_MAX; CopyDiskId(&entry->Id, Id); PhInitializeCircularBuffer_ULONG64(&entry->ReadBuffer, PhGetIntegerSetting(L"SampleCount")); PhInitializeCircularBuffer_ULONG64(&entry->WriteBuffer, PhGetIntegerSetting(L"SampleCount")); PhAcquireQueuedLockExclusive(&DiskDrivesListLock); PhAddItemList(DiskDrivesList, entry); PhReleaseQueuedLockExclusive(&DiskDrivesListLock); return entry; }
PPH_THREAD_ITEM PhCreateThreadItem( __in HANDLE ThreadId ) { PPH_THREAD_ITEM threadItem; if (!NT_SUCCESS(PhCreateObject( &threadItem, PhEmGetObjectSize(EmThreadItemType, sizeof(PH_THREAD_ITEM)), 0, PhThreadItemType ))) return NULL; memset(threadItem, 0, sizeof(PH_THREAD_ITEM)); threadItem->ThreadId = ThreadId; PhPrintUInt32(threadItem->ThreadIdString, (ULONG)ThreadId); PhEmCallObjectOperation(EmThreadItemType, threadItem, EmObjectCreate); return threadItem; }
PPH_HANDLE_PROVIDER PhCreateHandleProvider( __in HANDLE ProcessId ) { PPH_HANDLE_PROVIDER handleProvider; if (!NT_SUCCESS(PhCreateObject( &handleProvider, sizeof(PH_HANDLE_PROVIDER), 0, PhHandleProviderType ))) return NULL; handleProvider->HandleHashSetSize = 128; handleProvider->HandleHashSet = PhCreateHashSet(handleProvider->HandleHashSetSize); handleProvider->HandleHashSetCount = 0; PhInitializeQueuedLock(&handleProvider->HandleHashSetLock); PhInitializeCallback(&handleProvider->HandleAddedEvent); PhInitializeCallback(&handleProvider->HandleModifiedEvent); PhInitializeCallback(&handleProvider->HandleRemovedEvent); PhInitializeCallback(&handleProvider->UpdatedEvent); handleProvider->ProcessId = ProcessId; handleProvider->ProcessHandle = NULL; PhOpenProcess( &handleProvider->ProcessHandle, PROCESS_DUP_HANDLE, ProcessId ); handleProvider->TempListHashtable = PhCreateSimpleHashtable(20); return handleProvider; }
PPH_HANDLE_PROVIDER PhCreateHandleProvider( _In_ HANDLE ProcessId ) { PPH_HANDLE_PROVIDER handleProvider; handleProvider = PhCreateObject( PhEmGetObjectSize(EmHandleProviderType, sizeof(PH_HANDLE_PROVIDER)), PhHandleProviderType ); handleProvider->HandleHashSetSize = 128; handleProvider->HandleHashSet = PhCreateHashSet(handleProvider->HandleHashSetSize); handleProvider->HandleHashSetCount = 0; PhInitializeQueuedLock(&handleProvider->HandleHashSetLock); PhInitializeCallback(&handleProvider->HandleAddedEvent); PhInitializeCallback(&handleProvider->HandleModifiedEvent); PhInitializeCallback(&handleProvider->HandleRemovedEvent); PhInitializeCallback(&handleProvider->UpdatedEvent); handleProvider->ProcessId = ProcessId; handleProvider->ProcessHandle = NULL; handleProvider->RunStatus = PhOpenProcess( &handleProvider->ProcessHandle, PROCESS_DUP_HANDLE, ProcessId ); handleProvider->TempListHashtable = PhCreateSimpleHashtable(20); PhEmCallObjectOperation(EmHandleProviderType, handleProvider, EmObjectCreate); return handleProvider; }
PPH_SYMBOL_PROVIDER PhCreateSymbolProvider( _In_opt_ HANDLE ProcessId ) { PPH_SYMBOL_PROVIDER symbolProvider; if (!NT_SUCCESS(PhCreateObject( &symbolProvider, sizeof(PH_SYMBOL_PROVIDER), 0, PhSymbolProviderType ))) return NULL; InitializeListHead(&symbolProvider->ModulesListHead); PhInitializeQueuedLock(&symbolProvider->ModulesListLock); PhInitializeAvlTree(&symbolProvider->ModulesSet, PhpSymbolModuleCompareFunction); PhInitializeCallback(&symbolProvider->EventCallback); if (ProcessId) { static ACCESS_MASK accesses[] = { STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff, // pre-Vista full access PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, MAXIMUM_ALLOWED }; ULONG i; symbolProvider->IsRealHandle = FALSE; // Try to open the process with many different accesses. // This handle will be re-used when walking stacks, and doing // various other things. for (i = 0; i < sizeof(accesses) / sizeof(ACCESS_MASK); i++) { if (NT_SUCCESS(PhOpenProcess(&symbolProvider->ProcessHandle, accesses[i], ProcessId))) { symbolProvider->IsRealHandle = TRUE; break; } } } else { symbolProvider->IsRealHandle = FALSE; } if (!symbolProvider->IsRealHandle) { HANDLE fakeHandle; // Just generate a fake handle. fakeHandle = (HANDLE)_InterlockedExchangeAddPointer((PLONG_PTR)&PhNextFakeHandle, 4); // Add one to make sure it isn't divisible // by 4 (so it can't be mistaken for a real // handle). fakeHandle = (HANDLE)((ULONG_PTR)fakeHandle + 1); symbolProvider->ProcessHandle = fakeHandle; } symbolProvider->IsRegistered = FALSE; #ifdef PH_SYMBOL_PROVIDER_DELAY_INIT PhInitializeInitOnce(&symbolProvider->InitOnce); #else PhpRegisterSymbolProvider(symbolProvider); #endif return symbolProvider; }
PPH_MODULE_PROVIDER PhCreateModuleProvider( _In_ HANDLE ProcessId ) { NTSTATUS status; PPH_MODULE_PROVIDER moduleProvider; moduleProvider = PhCreateObject( PhEmGetObjectSize(EmModuleProviderType, sizeof(PH_MODULE_PROVIDER)), PhModuleProviderType ); moduleProvider->ModuleHashtable = PhCreateHashtable( sizeof(PPH_MODULE_ITEM), PhpModuleHashtableEqualFunction, PhpModuleHashtableHashFunction, 20 ); PhInitializeFastLock(&moduleProvider->ModuleHashtableLock); PhInitializeCallback(&moduleProvider->ModuleAddedEvent); PhInitializeCallback(&moduleProvider->ModuleModifiedEvent); PhInitializeCallback(&moduleProvider->ModuleRemovedEvent); PhInitializeCallback(&moduleProvider->UpdatedEvent); moduleProvider->ProcessId = ProcessId; moduleProvider->ProcessHandle = NULL; moduleProvider->PackageFullName = NULL; moduleProvider->RunStatus = STATUS_SUCCESS; // It doesn't matter if we can't get a process handle. // Try to get a handle with query information + vm read access. if (!NT_SUCCESS(status = PhOpenProcess( &moduleProvider->ProcessHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessId ))) { if (WINDOWS_HAS_LIMITED_ACCESS) { // Try to get a handle with query limited information + vm read access. status = PhOpenProcess( &moduleProvider->ProcessHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessId ); } moduleProvider->RunStatus = status; } if (moduleProvider->ProcessHandle) moduleProvider->PackageFullName = PhGetProcessPackageFullName(moduleProvider->ProcessHandle); RtlInitializeSListHead(&moduleProvider->QueryListHead); PhEmCallObjectOperation(EmModuleProviderType, moduleProvider, EmObjectCreate); return moduleProvider; }