// copied from ProcessHacker\netlist.c..
static PPH_STRING PhpNetworkTreeGetNetworkItemProcessName(
_In_ PPH_NETWORK_ITEM NetworkItem
)
{
PH_FORMAT format[4];
if (!NetworkItem->ProcessId)
return PhaCreateString(L"Waiting connections");
PhInitFormatS(&format[1], L" (");
PhInitFormatU(&format[2], HandleToUlong(NetworkItem->ProcessId));
PhInitFormatC(&format[3], ')');
if (NetworkItem->ProcessName)
PhInitFormatSR(&format[0], NetworkItem->ProcessName->sr);
else
PhInitFormatS(&format[0], L"Unknown process");
return PH_AUTO(PhFormat(format, 4, 96));
}
INT_PTR CALLBACK EtpAlpcPortPageDlgProc(
__in HWND hwndDlg,
__in UINT uMsg,
__in WPARAM wParam,
__in LPARAM lParam
)
{
switch (uMsg)
{
case WM_INITDIALOG:
{
LPPROPSHEETPAGE propSheetPage = (LPPROPSHEETPAGE)lParam;
PCOMMON_PAGE_CONTEXT context = (PCOMMON_PAGE_CONTEXT)propSheetPage->lParam;
HANDLE portHandle;
if (NT_SUCCESS(EtpDuplicateHandleFromProcess(&portHandle, READ_CONTROL, context)))
{
ALPC_BASIC_INFORMATION basicInfo;
if (NT_SUCCESS(NtAlpcQueryInformation(
portHandle,
AlpcBasicInformation,
&basicInfo,
sizeof(ALPC_BASIC_INFORMATION),
NULL
)))
{
PH_FORMAT format[2];
PPH_STRING string;
PhInitFormatS(&format[0], L"Sequence Number: ");
PhInitFormatD(&format[1], basicInfo.SequenceNo);
format[1].Type |= FormatGroupDigits;
string = PhFormat(format, 2, 128);
SetDlgItemText(hwndDlg, IDC_SEQUENCENUMBER, string->Buffer);
PhDereferenceObject(string);
SetDlgItemText(hwndDlg, IDC_PORTCONTEXT,
PhaFormatString(L"Port Context: 0x%Ix", basicInfo.PortContext)->Buffer);
}
NtClose(portHandle);
}
}
break;
}
return FALSE;
}
PPH_STRING PhpGetThreadBasicStartAddress(
__in PPH_THREAD_PROVIDER ThreadProvider,
__in ULONG64 Address,
__out PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel
)
{
ULONG64 modBase;
PPH_STRING fileName = NULL;
PPH_STRING baseName = NULL;
PPH_STRING symbol;
modBase = PhGetModuleFromAddress(
ThreadProvider->SymbolProvider,
Address,
&fileName
);
if (fileName == NULL)
{
*ResolveLevel = PhsrlAddress;
symbol = PhCreateStringEx(NULL, PH_PTR_STR_LEN * 2);
PhPrintPointer(symbol->Buffer, (PVOID)Address);
PhTrimToNullTerminatorString(symbol);
}
else
{
PH_FORMAT format[3];
baseName = PhGetBaseName(fileName);
*ResolveLevel = PhsrlModule;
PhInitFormatSR(&format[0], baseName->sr);
PhInitFormatS(&format[1], L"+0x");
PhInitFormatIX(&format[2], (ULONG_PTR)(Address - modBase));
symbol = PhFormat(format, 3, baseName->Length + 6 + 32);
}
if (fileName)
PhDereferenceObject(fileName);
if (baseName)
PhDereferenceObject(baseName);
return symbol;
}
static PPH_STRING EtpGetBasicSymbol(
_In_ PPH_SYMBOL_PROVIDER SymbolProvider,
_In_ ULONG64 Address
)
{
ULONG64 modBase;
PPH_STRING fileName = NULL;
PPH_STRING baseName = NULL;
PPH_STRING symbol;
modBase = PhGetModuleFromAddress(SymbolProvider, Address, &fileName);
if (!fileName)
{
symbol = PhCreateStringEx(NULL, PH_PTR_STR_LEN * 2);
PhPrintPointer(symbol->Buffer, (PVOID)Address);
PhTrimToNullTerminatorString(symbol);
}
else
{
PH_FORMAT format[3];
baseName = PhGetBaseName(fileName);
PhInitFormatSR(&format[0], baseName->sr);
PhInitFormatS(&format[1], L"+0x");
PhInitFormatIX(&format[2], (ULONG_PTR)(Address - modBase));
symbol = PhFormat(format, 3, baseName->Length + 6 + 32);
}
if (fileName)
PhDereferenceObject(fileName);
if (baseName)
PhDereferenceObject(baseName);
return symbol;
}
PPH_STRING PhGetSymbolFromAddress(
_In_ PPH_SYMBOL_PROVIDER SymbolProvider,
_In_ ULONG64 Address,
_Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel,
_Out_opt_ PPH_STRING *FileName,
_Out_opt_ PPH_STRING *SymbolName,
_Out_opt_ PULONG64 Displacement
)
{
PSYMBOL_INFOW symbolInfo;
ULONG nameLength;
PPH_STRING symbol = NULL;
PH_SYMBOL_RESOLVE_LEVEL resolveLevel;
ULONG64 displacement;
PPH_STRING modFileName = NULL;
PPH_STRING modBaseName = NULL;
ULONG64 modBase;
PPH_STRING symbolName = NULL;
if (!SymFromAddrW_I && !SymFromAddr_I)
return NULL;
if (Address == 0)
{
if (ResolveLevel) *ResolveLevel = PhsrlInvalid;
if (FileName) *FileName = NULL;
if (SymbolName) *SymbolName = NULL;
if (Displacement) *Displacement = 0;
return NULL;
}
#ifdef PH_SYMBOL_PROVIDER_DELAY_INIT
PhpRegisterSymbolProvider(SymbolProvider);
#endif
symbolInfo = PhAllocate(FIELD_OFFSET(SYMBOL_INFOW, Name) + PH_MAX_SYMBOL_NAME_LEN * 2);
memset(symbolInfo, 0, sizeof(SYMBOL_INFOW));
symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW);
symbolInfo->MaxNameLen = PH_MAX_SYMBOL_NAME_LEN;
// Get the symbol name.
PH_LOCK_SYMBOLS();
// Note that we don't care whether this call
// succeeds or not, based on the assumption that
// it will not write to the symbolInfo structure
// if it fails. We've already zeroed the structure,
// so we can deal with it.
if (SymFromAddrW_I)
{
SymFromAddrW_I(
SymbolProvider->ProcessHandle,
Address,
&displacement,
symbolInfo
);
nameLength = symbolInfo->NameLen;
if (nameLength + 1 > PH_MAX_SYMBOL_NAME_LEN)
{
PhFree(symbolInfo);
symbolInfo = PhAllocate(FIELD_OFFSET(SYMBOL_INFOW, Name) + nameLength * 2 + 2);
memset(symbolInfo, 0, sizeof(SYMBOL_INFOW));
symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW);
symbolInfo->MaxNameLen = nameLength + 1;
SymFromAddrW_I(
SymbolProvider->ProcessHandle,
Address,
&displacement,
symbolInfo
);
}
}
else if (SymFromAddr_I)
{
PSYMBOL_INFO symbolInfoA;
symbolInfoA = PhAllocate(FIELD_OFFSET(SYMBOL_INFO, Name) + PH_MAX_SYMBOL_NAME_LEN);
memset(symbolInfoA, 0, sizeof(SYMBOL_INFO));
symbolInfoA->SizeOfStruct = sizeof(SYMBOL_INFO);
symbolInfoA->MaxNameLen = PH_MAX_SYMBOL_NAME_LEN;
SymFromAddr_I(
SymbolProvider->ProcessHandle,
Address,
&displacement,
symbolInfoA
);
nameLength = symbolInfoA->NameLen;
if (nameLength + 1 > PH_MAX_SYMBOL_NAME_LEN)
{
PhFree(symbolInfoA);
symbolInfoA = PhAllocate(FIELD_OFFSET(SYMBOL_INFO, Name) + nameLength + 1);
memset(symbolInfoA, 0, sizeof(SYMBOL_INFO));
symbolInfoA->SizeOfStruct = sizeof(SYMBOL_INFO);
symbolInfoA->MaxNameLen = nameLength + 1;
SymFromAddr_I(
SymbolProvider->ProcessHandle,
Address,
&displacement,
symbolInfoA
);
// Also reallocate the Unicode-based buffer.
PhFree(symbolInfo);
symbolInfo = PhAllocate(FIELD_OFFSET(SYMBOL_INFOW, Name) + nameLength * 2 + 2);
memset(symbolInfo, 0, sizeof(SYMBOL_INFOW));
symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW);
symbolInfo->MaxNameLen = nameLength + 1;
}
PhpSymbolInfoAnsiToUnicode(symbolInfo, symbolInfoA);
PhFree(symbolInfoA);
}
PH_UNLOCK_SYMBOLS();
// Find the module name.
if (symbolInfo->ModBase == 0)
{
modBase = PhGetModuleFromAddress(
SymbolProvider,
Address,
&modFileName
);
}
else
{
PH_SYMBOL_MODULE lookupSymbolModule;
PPH_AVL_LINKS existingLinks;
PPH_SYMBOL_MODULE symbolModule;
lookupSymbolModule.BaseAddress = symbolInfo->ModBase;
PhAcquireQueuedLockShared(&SymbolProvider->ModulesListLock);
existingLinks = PhFindElementAvlTree(&SymbolProvider->ModulesSet, &lookupSymbolModule.Links);
if (existingLinks)
{
symbolModule = CONTAINING_RECORD(existingLinks, PH_SYMBOL_MODULE, Links);
modFileName = symbolModule->FileName;
PhReferenceObject(modFileName);
}
PhReleaseQueuedLockShared(&SymbolProvider->ModulesListLock);
}
// If we don't have a module name, return an address.
if (!modFileName)
{
resolveLevel = PhsrlAddress;
symbol = PhCreateStringEx(NULL, PH_PTR_STR_LEN * 2);
PhPrintPointer(symbol->Buffer, (PVOID)Address);
PhTrimToNullTerminatorString(symbol);
goto CleanupExit;
}
modBaseName = PhGetBaseName(modFileName);
// If we have a module name but not a symbol name,
// return the module plus an offset: module+offset.
if (symbolInfo->NameLen == 0)
{
PH_FORMAT format[3];
resolveLevel = PhsrlModule;
PhInitFormatSR(&format[0], modBaseName->sr);
PhInitFormatS(&format[1], L"+0x");
PhInitFormatIX(&format[2], (ULONG_PTR)(Address - modBase));
symbol = PhFormat(format, 3, modBaseName->Length + 6 + 32);
goto CleanupExit;
}
// If we have everything, return the full symbol
// name: module!symbol+offset.
symbolName = PhCreateStringEx(
symbolInfo->Name,
symbolInfo->NameLen * 2
);
resolveLevel = PhsrlFunction;
if (displacement == 0)
{
PH_FORMAT format[3];
PhInitFormatSR(&format[0], modBaseName->sr);
PhInitFormatC(&format[1], '!');
PhInitFormatSR(&format[2], symbolName->sr);
symbol = PhFormat(format, 3, modBaseName->Length + 2 + symbolName->Length);
}
else
{
PH_FORMAT format[5];
PhInitFormatSR(&format[0], modBaseName->sr);
PhInitFormatC(&format[1], '!');
PhInitFormatSR(&format[2], symbolName->sr);
PhInitFormatS(&format[3], L"+0x");
PhInitFormatIX(&format[4], (ULONG_PTR)displacement);
symbol = PhFormat(format, 5, modBaseName->Length + 2 + symbolName->Length + 6 + 32);
}
CleanupExit:
if (ResolveLevel)
*ResolveLevel = resolveLevel;
if (FileName)
{
*FileName = modFileName;
if (modFileName)
PhReferenceObject(modFileName);
}
if (SymbolName)
{
*SymbolName = symbolName;
if (symbolName)
PhReferenceObject(symbolName);
}
if (Displacement)
*Displacement = displacement;
if (modFileName)
PhDereferenceObject(modFileName);
if (modBaseName)
PhDereferenceObject(modBaseName);
if (symbolName)
PhDereferenceObject(symbolName);
PhFree(symbolInfo);
return symbol;
}
VOID EtpNetworkIconUpdateCallback(
_In_ struct _PH_NF_ICON *Icon,
_Out_ PVOID *NewIconOrBitmap,
_Out_ PULONG Flags,
_Out_ PPH_STRING *NewText,
_In_opt_ PVOID Context
)
{
static PH_GRAPH_DRAW_INFO drawInfo =
{
16,
16,
PH_GRAPH_USE_LINE_2,
2,
RGB(0x00, 0x00, 0x00),
16,
NULL,
NULL,
0,
0,
0,
0
};
ULONG maxDataCount;
ULONG lineDataCount;
PFLOAT lineData1;
PFLOAT lineData2;
FLOAT max;
ULONG i;
HBITMAP bitmap;
PVOID bits;
HDC hdc;
HBITMAP oldBitmap;
HANDLE maxNetworkProcessId;
PPH_PROCESS_ITEM maxNetworkProcessItem;
PH_FORMAT format[6];
// Icon
Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap);
maxDataCount = drawInfo.Width / 2 + 1;
lineData1 = _alloca(maxDataCount * sizeof(FLOAT));
lineData2 = _alloca(maxDataCount * sizeof(FLOAT));
lineDataCount = min(maxDataCount, EtNetworkReceiveHistory.Count);
max = 1024 * 1024; // minimum scaling of 1 MB.
for (i = 0; i < lineDataCount; i++)
{
lineData1[i] = (FLOAT)PhGetItemCircularBuffer_ULONG(&EtNetworkReceiveHistory, i);
lineData2[i] = (FLOAT)PhGetItemCircularBuffer_ULONG(&EtNetworkSendHistory, i);
if (max < lineData1[i] + lineData2[i])
max = lineData1[i] + lineData2[i];
}
PhDivideSinglesBySingle(lineData1, max, lineDataCount);
PhDivideSinglesBySingle(lineData2, max, lineDataCount);
drawInfo.LineDataCount = lineDataCount;
drawInfo.LineData1 = lineData1;
drawInfo.LineData2 = lineData2;
drawInfo.LineColor1 = PhGetIntegerSetting(L"ColorIoReadOther");
drawInfo.LineColor2 = PhGetIntegerSetting(L"ColorIoWrite");
drawInfo.LineBackColor1 = PhHalveColorBrightness(drawInfo.LineColor1);
drawInfo.LineBackColor2 = PhHalveColorBrightness(drawInfo.LineColor2);
if (bits)
PhDrawGraphDirect(hdc, bits, &drawInfo);
SelectObject(hdc, oldBitmap);
*NewIconOrBitmap = bitmap;
*Flags = PH_NF_UPDATE_IS_BITMAP;
// Text
if (EtMaxNetworkHistory.Count != 0)
maxNetworkProcessId = UlongToHandle(PhGetItemCircularBuffer_ULONG(&EtMaxNetworkHistory, 0));
else
maxNetworkProcessId = NULL;
if (maxNetworkProcessId)
maxNetworkProcessItem = PhReferenceProcessItem(maxNetworkProcessId);
else
maxNetworkProcessItem = NULL;
PhInitFormatS(&format[0], L"Network\nR: ");
PhInitFormatSize(&format[1], EtNetworkReceiveDelta.Delta);
PhInitFormatS(&format[2], L"\nS: ");
PhInitFormatSize(&format[3], EtNetworkSendDelta.Delta);
if (maxNetworkProcessItem)
{
PhInitFormatC(&format[4], '\n');
PhInitFormatSR(&format[5], maxNetworkProcessItem->ProcessName->sr);
}
*NewText = PhFormat(format, maxNetworkProcessItem ? 6 : 4, 128);
if (maxNetworkProcessItem) PhDereferenceObject(maxNetworkProcessItem);
}
VOID EtpGpuIconUpdateCallback(
_In_ struct _PH_NF_ICON *Icon,
_Out_ PVOID *NewIconOrBitmap,
_Out_ PULONG Flags,
_Out_ PPH_STRING *NewText,
_In_opt_ PVOID Context
)
{
static PH_GRAPH_DRAW_INFO drawInfo =
{
16,
16,
0,
2,
RGB(0x00, 0x00, 0x00),
16,
NULL,
NULL,
0,
0,
0,
0
};
ULONG maxDataCount;
ULONG lineDataCount;
PFLOAT lineData1;
HBITMAP bitmap;
PVOID bits;
HDC hdc;
HBITMAP oldBitmap;
HANDLE maxGpuProcessId;
PPH_PROCESS_ITEM maxGpuProcessItem;
PH_FORMAT format[8];
// Icon
Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap);
maxDataCount = drawInfo.Width / 2 + 1;
lineData1 = _alloca(maxDataCount * sizeof(FLOAT));
lineDataCount = min(maxDataCount, EtGpuNodeHistory.Count);
PhCopyCircularBuffer_FLOAT(&EtGpuNodeHistory, lineData1, lineDataCount);
drawInfo.LineDataCount = lineDataCount;
drawInfo.LineData1 = lineData1;
drawInfo.LineColor1 = PhGetIntegerSetting(L"ColorCpuKernel");
drawInfo.LineBackColor1 = PhHalveColorBrightness(drawInfo.LineColor1);
if (bits)
PhDrawGraphDirect(hdc, bits, &drawInfo);
SelectObject(hdc, oldBitmap);
*NewIconOrBitmap = bitmap;
*Flags = PH_NF_UPDATE_IS_BITMAP;
// Text
if (EtMaxGpuNodeHistory.Count != 0)
maxGpuProcessId = UlongToHandle(PhGetItemCircularBuffer_ULONG(&EtMaxGpuNodeHistory, 0));
else
maxGpuProcessId = NULL;
if (maxGpuProcessId)
maxGpuProcessItem = PhReferenceProcessItem(maxGpuProcessId);
else
maxGpuProcessItem = NULL;
PhInitFormatS(&format[0], L"GPU Usage: ");
PhInitFormatF(&format[1], EtGpuNodeUsage * 100, 2);
PhInitFormatC(&format[2], '%');
if (maxGpuProcessItem)
{
PhInitFormatC(&format[3], '\n');
PhInitFormatSR(&format[4], maxGpuProcessItem->ProcessName->sr);
PhInitFormatS(&format[5], L": ");
PhInitFormatF(&format[6], EtGetProcessBlock(maxGpuProcessItem)->GpuNodeUsage * 100, 2);
PhInitFormatC(&format[7], '%');
}
*NewText = PhFormat(format, maxGpuProcessItem ? 8 : 3, 128);
if (maxGpuProcessItem) PhDereferenceObject(maxGpuProcessItem);
}
BOOLEAN EtpDiskListSectionCallback(
_In_ struct _PH_MINIINFO_LIST_SECTION *ListSection,
_In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message,
_In_opt_ PVOID Parameter1,
_In_opt_ PVOID Parameter2
)
{
switch (Message)
{
case MiListSectionTick:
{
PH_FORMAT format[4];
PhInitFormatS(&format[0], L"Disk R: ");
PhInitFormatSize(&format[1], EtDiskReadDelta.Delta);
format[1].Type |= FormatUsePrecision;
format[1].Precision = 0;
PhInitFormatS(&format[2], L" W: ");
PhInitFormatSize(&format[3], EtDiskWriteDelta.Delta);
format[3].Type |= FormatUsePrecision;
format[3].Precision = 0;
ListSection->Section->Parameters->SetSectionText(ListSection->Section,
PhAutoDereferenceObject(PhFormat(format, 4, 50)));
}
break;
case MiListSectionSortProcessList:
{
PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1;
qsort(sortList->List->Items, sortList->List->Count,
sizeof(PPH_PROCESS_NODE), EtpDiskListSectionProcessCompareFunction);
}
return TRUE;
case MiListSectionAssignSortData:
{
PPH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA assignSortData = Parameter1;
PPH_LIST processes = assignSortData->ProcessGroup->Processes;
ULONG64 diskReadDelta = 0;
ULONG64 diskWriteDelta = 0;
ULONG i;
for (i = 0; i < processes->Count; i++)
{
PPH_PROCESS_ITEM processItem = processes->Items[i];
PET_PROCESS_BLOCK block = EtGetProcessBlock(processItem);
diskReadDelta += block->DiskReadRawDelta.Delta;
diskWriteDelta += block->DiskWriteRawDelta.Delta;
}
assignSortData->SortData->UserData[0] = diskReadDelta;
assignSortData->SortData->UserData[1] = diskWriteDelta;
}
return TRUE;
case MiListSectionSortGroupList:
{
PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1;
qsort(sortList->List->Items, sortList->List->Count,
sizeof(PPH_MINIINFO_LIST_SECTION_SORT_DATA), EtpDiskListSectionNodeCompareFunction);
}
return TRUE;
case MiListSectionGetUsageText:
{
PPH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT getUsageText = Parameter1;
PPH_LIST processes = getUsageText->ProcessGroup->Processes;
ULONG64 diskReadDelta = getUsageText->SortData->UserData[0];
ULONG64 diskWriteDelta = getUsageText->SortData->UserData[1];
PH_FORMAT format[1];
PhInitFormatSize(&format[0], diskReadDelta + diskWriteDelta);
PhMoveReference(&getUsageText->Line1, PhFormat(format, 1, 16));
}
return TRUE;
}
return FALSE;
}
VOID PhpUpdateThreadDetails(
_In_ HWND hwndDlg,
_In_ PPH_THREADS_CONTEXT Context,
_In_ BOOLEAN Force
)
{
PPH_THREAD_ITEM *threads;
ULONG numberOfThreads;
PPH_THREAD_ITEM threadItem;
PPH_STRING startModule = NULL;
PPH_STRING started = NULL;
WCHAR kernelTime[PH_TIMESPAN_STR_LEN_1] = L"N/A";
WCHAR userTime[PH_TIMESPAN_STR_LEN_1] = L"N/A";
PPH_STRING contextSwitches = NULL;
PPH_STRING cycles = NULL;
PPH_STRING state = NULL;
WCHAR priority[PH_INT32_STR_LEN_1] = L"N/A";
WCHAR basePriority[PH_INT32_STR_LEN_1] = L"N/A";
PWSTR ioPriority = L"N/A";
PWSTR pagePriority = L"N/A";
WCHAR idealProcessor[PH_INT32_STR_LEN + 1 + PH_INT32_STR_LEN + 1] = L"N/A";
HANDLE threadHandle;
SYSTEMTIME time;
IO_PRIORITY_HINT ioPriorityInteger;
ULONG pagePriorityInteger;
PROCESSOR_NUMBER idealProcessorNumber;
ULONG suspendCount;
PhGetSelectedThreadItems(&Context->ListContext, &threads, &numberOfThreads);
if (numberOfThreads == 1)
threadItem = threads[0];
else
threadItem = NULL;
PhFree(threads);
if (numberOfThreads != 1 && !Force)
return;
if (numberOfThreads == 1)
{
startModule = threadItem->StartAddressFileName;
PhLargeIntegerToLocalSystemTime(&time, &threadItem->CreateTime);
started = PhaFormatDateTime(&time);
PhPrintTimeSpan(kernelTime, threadItem->KernelTime.QuadPart, PH_TIMESPAN_HMSM);
PhPrintTimeSpan(userTime, threadItem->UserTime.QuadPart, PH_TIMESPAN_HMSM);
contextSwitches = PhaFormatUInt64(threadItem->ContextSwitchesDelta.Value, TRUE);
if (WINDOWS_HAS_CYCLE_TIME)
cycles = PhaFormatUInt64(threadItem->CyclesDelta.Value, TRUE);
if (threadItem->State != Waiting)
{
if ((ULONG)threadItem->State < MaximumThreadState)
state = PhaCreateString(PhKThreadStateNames[(ULONG)threadItem->State]);
else
state = PhaCreateString(L"Unknown");
}
else
{
if ((ULONG)threadItem->WaitReason < MaximumWaitReason)
state = PhaConcatStrings2(L"Wait:", PhKWaitReasonNames[(ULONG)threadItem->WaitReason]);
else
state = PhaCreateString(L"Waiting");
}
PhPrintInt32(priority, threadItem->Priority);
PhPrintInt32(basePriority, threadItem->BasePriority);
if (NT_SUCCESS(PhOpenThread(&threadHandle, ThreadQueryAccess, threadItem->ThreadId)))
{
if (NT_SUCCESS(PhGetThreadIoPriority(threadHandle, &ioPriorityInteger)) &&
ioPriorityInteger < MaxIoPriorityTypes)
{
ioPriority = PhIoPriorityHintNames[ioPriorityInteger];
}
if (NT_SUCCESS(PhGetThreadPagePriority(threadHandle, &pagePriorityInteger)) &&
pagePriorityInteger <= MEMORY_PRIORITY_NORMAL)
{
pagePriority = PhPagePriorityNames[pagePriorityInteger];
}
if (NT_SUCCESS(NtQueryInformationThread(threadHandle, ThreadIdealProcessorEx, &idealProcessorNumber, sizeof(PROCESSOR_NUMBER), NULL)))
{
PH_FORMAT format[3];
PhInitFormatU(&format[0], idealProcessorNumber.Group);
PhInitFormatC(&format[1], ':');
PhInitFormatU(&format[2], idealProcessorNumber.Number);
PhFormatToBuffer(format, 3, idealProcessor, sizeof(idealProcessor), NULL);
}
if (threadItem->WaitReason == Suspended && NT_SUCCESS(NtQueryInformationThread(threadHandle, ThreadSuspendCount, &suspendCount, sizeof(ULONG), NULL)))
{
PH_FORMAT format[4];
PhInitFormatSR(&format[0], state->sr);
PhInitFormatS(&format[1], L" (");
PhInitFormatU(&format[2], suspendCount);
PhInitFormatS(&format[3], L")");
state = PH_AUTO(PhFormat(format, 4, 30));
}
NtClose(threadHandle);
}
}
if (Force)
{
// These don't change...
SetDlgItemText(hwndDlg, IDC_STARTMODULE, PhGetStringOrEmpty(startModule));
EnableWindow(GetDlgItem(hwndDlg, IDC_OPENSTARTMODULE), !!startModule);
SetDlgItemText(hwndDlg, IDC_STARTED, PhGetStringOrDefault(started, L"N/A"));
}
SetDlgItemText(hwndDlg, IDC_KERNELTIME, kernelTime);
SetDlgItemText(hwndDlg, IDC_USERTIME, userTime);
SetDlgItemText(hwndDlg, IDC_CONTEXTSWITCHES, PhGetStringOrDefault(contextSwitches, L"N/A"));
SetDlgItemText(hwndDlg, IDC_CYCLES, PhGetStringOrDefault(cycles, L"N/A"));
SetDlgItemText(hwndDlg, IDC_STATE, PhGetStringOrDefault(state, L"N/A"));
SetDlgItemText(hwndDlg, IDC_PRIORITY, priority);
SetDlgItemText(hwndDlg, IDC_BASEPRIORITY, basePriority);
SetDlgItemText(hwndDlg, IDC_IOPRIORITY, ioPriority);
SetDlgItemText(hwndDlg, IDC_PAGEPRIORITY, pagePriority);
SetDlgItemText(hwndDlg, IDC_IDEALPROCESSOR, idealProcessor);
}
NTSTATUS KphConnect2Ex(
_In_opt_ PWSTR DeviceName,
_In_ PWSTR FileName,
_In_opt_ PKPH_PARAMETERS Parameters
)
{
NTSTATUS status;
WCHAR fullDeviceName[256];
PH_FORMAT format[2];
SC_HANDLE scmHandle;
SC_HANDLE serviceHandle;
BOOLEAN started = FALSE;
BOOLEAN created = FALSE;
if (!DeviceName)
DeviceName = KPH_DEVICE_SHORT_NAME;
PhInitFormatS(&format[0], L"\\Device\\");
PhInitFormatS(&format[1], DeviceName);
if (!PhFormatToBuffer(format, 2, fullDeviceName, sizeof(fullDeviceName), NULL))
return STATUS_NAME_TOO_LONG;
// Try to open the device.
status = KphConnect(fullDeviceName);
if (NT_SUCCESS(status) || status == STATUS_ADDRESS_ALREADY_EXISTS)
return status;
if (
status != STATUS_NO_SUCH_DEVICE &&
status != STATUS_NO_SUCH_FILE &&
status != STATUS_OBJECT_NAME_NOT_FOUND &&
status != STATUS_OBJECT_PATH_NOT_FOUND
)
return status;
// Load the driver, and try again.
// Try to start the service, if it exists.
scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT);
if (scmHandle)
{
serviceHandle = OpenService(scmHandle, DeviceName, SERVICE_START);
if (serviceHandle)
{
if (StartService(serviceHandle, 0, NULL))
started = TRUE;
CloseServiceHandle(serviceHandle);
}
CloseServiceHandle(scmHandle);
}
if (!started && RtlDoesFileExists_U(FileName))
{
// Try to create the service.
scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
if (scmHandle)
{
serviceHandle = CreateService(
scmHandle,
DeviceName,
DeviceName,
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
FileName,
NULL,
NULL,
NULL,
NULL,
L""
);
if (serviceHandle)
{
created = TRUE;
// Set parameters if the caller supplied them.
// Note that we fail the entire function if this fails,
// because failing to set parameters like SecurityLevel may
// result in security vulnerabilities.
if (Parameters)
{
status = KphSetParameters(DeviceName, Parameters);
if (!NT_SUCCESS(status))
{
// Delete the service and fail.
goto CreateAndConnectEnd;
}
}
if (StartService(serviceHandle, 0, NULL))
started = TRUE;
}
CloseServiceHandle(scmHandle);
}
}
if (started)
{
// Try to open the device again.
status = KphConnect(fullDeviceName);
}
CreateAndConnectEnd:
if (created)
{
// "Delete" the service. Since we (may) have a handle to
// the device, the SCM will delete the service automatically
// when it is stopped (upon reboot). If we don't have a
// handle to the device, the service will get deleted immediately,
// which is a good thing anyway.
DeleteService(serviceHandle);
CloseServiceHandle(serviceHandle);
}
return status;
}
NTSTATUS PhpGetBestObjectName(
__in HANDLE ProcessHandle,
__in HANDLE Handle,
__in PPH_STRING ObjectName,
__in PPH_STRING TypeName,
__out PPH_STRING *BestObjectName
)
{
NTSTATUS status;
PPH_STRING bestObjectName = NULL;
PPH_GET_CLIENT_ID_NAME handleGetClientIdName;
if (PhEqualString2(TypeName, L"EtwRegistration", TRUE))
{
if (KphIsConnected())
{
ETWREG_BASIC_INFORMATION basicInfo;
status = KphQueryInformationObject(
ProcessHandle,
Handle,
KphObjectEtwRegBasicInformation,
&basicInfo,
sizeof(ETWREG_BASIC_INFORMATION),
NULL
);
if (NT_SUCCESS(status))
{
static PH_STRINGREF publishersKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Publishers\\");
PPH_STRING guidString;
PPH_STRING keyName;
HANDLE keyHandle;
PPH_STRING publisherName = NULL;
guidString = PhFormatGuid(&basicInfo.Guid);
// We should perform a lookup on the GUID to get the publisher name.
keyName = PhConcatStringRef2(&publishersKeyName, &guidString->sr);
if (NT_SUCCESS(PhOpenKey(
&keyHandle,
KEY_READ,
PH_KEY_LOCAL_MACHINE,
&keyName->sr,
0
)))
{
publisherName = PhQueryRegistryString(keyHandle, NULL);
if (publisherName && publisherName->Length == 0)
{
PhDereferenceObject(publisherName);
publisherName = NULL;
}
NtClose(keyHandle);
}
PhDereferenceObject(keyName);
if (publisherName)
{
bestObjectName = publisherName;
PhDereferenceObject(guidString);
}
else
{
bestObjectName = guidString;
}
}
}
}
else if (PhEqualString2(TypeName, L"File", TRUE))
{
// Convert the file name to a DOS file name.
bestObjectName = PhResolveDevicePrefix(ObjectName);
if (!bestObjectName)
{
bestObjectName = ObjectName;
PhReferenceObject(ObjectName);
}
}
else if (PhEqualString2(TypeName, L"Key", TRUE))
{
bestObjectName = PhFormatNativeKeyName(ObjectName);
}
else if (PhEqualString2(TypeName, L"Process", TRUE))
{
CLIENT_ID clientId;
clientId.UniqueThread = NULL;
if (KphIsConnected())
{
PROCESS_BASIC_INFORMATION basicInfo;
status = KphQueryInformationObject(
ProcessHandle,
Handle,
KphObjectProcessBasicInformation,
&basicInfo,
sizeof(PROCESS_BASIC_INFORMATION),
NULL
);
if (!NT_SUCCESS(status))
goto CleanupExit;
clientId.UniqueProcess = basicInfo.UniqueProcessId;
}
else
{
HANDLE dupHandle;
PROCESS_BASIC_INFORMATION basicInfo;
status = NtDuplicateObject(
ProcessHandle,
Handle,
NtCurrentProcess(),
&dupHandle,
ProcessQueryAccess,
0,
0
);
if (!NT_SUCCESS(status))
goto CleanupExit;
status = PhGetProcessBasicInformation(dupHandle, &basicInfo);
NtClose(dupHandle);
if (!NT_SUCCESS(status))
goto CleanupExit;
clientId.UniqueProcess = basicInfo.UniqueProcessId;
}
handleGetClientIdName = PhHandleGetClientIdName;
if (handleGetClientIdName)
bestObjectName = handleGetClientIdName(&clientId);
}
else if (PhEqualString2(TypeName, L"Thread", TRUE))
{
CLIENT_ID clientId;
if (KphIsConnected())
{
THREAD_BASIC_INFORMATION basicInfo;
status = KphQueryInformationObject(
ProcessHandle,
Handle,
KphObjectThreadBasicInformation,
&basicInfo,
sizeof(THREAD_BASIC_INFORMATION),
NULL
);
if (!NT_SUCCESS(status))
goto CleanupExit;
clientId = basicInfo.ClientId;
}
else
{
HANDLE dupHandle;
THREAD_BASIC_INFORMATION basicInfo;
status = NtDuplicateObject(
ProcessHandle,
Handle,
NtCurrentProcess(),
&dupHandle,
ThreadQueryAccess,
0,
0
);
if (!NT_SUCCESS(status))
goto CleanupExit;
status = PhGetThreadBasicInformation(dupHandle, &basicInfo);
NtClose(dupHandle);
if (!NT_SUCCESS(status))
goto CleanupExit;
clientId = basicInfo.ClientId;
}
handleGetClientIdName = PhHandleGetClientIdName;
if (handleGetClientIdName)
bestObjectName = handleGetClientIdName(&clientId);
}
else if (PhEqualString2(TypeName, L"TmEn", TRUE))
{
HANDLE dupHandle;
ENLISTMENT_BASIC_INFORMATION basicInfo;
status = NtDuplicateObject(
ProcessHandle,
Handle,
NtCurrentProcess(),
&dupHandle,
ENLISTMENT_QUERY_INFORMATION,
0,
0
);
if (!NT_SUCCESS(status))
goto CleanupExit;
status = PhGetEnlistmentBasicInformation(dupHandle, &basicInfo);
NtClose(dupHandle);
if (NT_SUCCESS(status))
{
bestObjectName = PhFormatGuid(&basicInfo.EnlistmentId);
}
}
else if (PhEqualString2(TypeName, L"TmRm", TRUE))
{
HANDLE dupHandle;
GUID guid;
PPH_STRING description;
status = NtDuplicateObject(
ProcessHandle,
Handle,
NtCurrentProcess(),
&dupHandle,
RESOURCEMANAGER_QUERY_INFORMATION,
0,
0
);
if (!NT_SUCCESS(status))
goto CleanupExit;
status = PhGetResourceManagerBasicInformation(
dupHandle,
&guid,
&description
);
NtClose(dupHandle);
if (NT_SUCCESS(status))
{
if (!PhIsNullOrEmptyString(description))
{
bestObjectName = description;
}
else
{
bestObjectName = PhFormatGuid(&guid);
if (description)
PhDereferenceObject(description);
}
}
}
else if (PhEqualString2(TypeName, L"TmTm", TRUE))
{
HANDLE dupHandle;
PPH_STRING logFileName = NULL;
TRANSACTIONMANAGER_BASIC_INFORMATION basicInfo;
status = NtDuplicateObject(
ProcessHandle,
Handle,
NtCurrentProcess(),
&dupHandle,
TRANSACTIONMANAGER_QUERY_INFORMATION,
0,
0
);
if (!NT_SUCCESS(status))
goto CleanupExit;
status = PhGetTransactionManagerLogFileName(
dupHandle,
&logFileName
);
if (NT_SUCCESS(status) && !PhIsNullOrEmptyString(logFileName))
{
bestObjectName = PhGetFileName(logFileName);
PhDereferenceObject(logFileName);
}
else
{
if (logFileName)
PhDereferenceObject(logFileName);
status = PhGetTransactionManagerBasicInformation(
dupHandle,
&basicInfo
);
if (NT_SUCCESS(status))
{
bestObjectName = PhFormatGuid(&basicInfo.TmIdentity);
}
}
NtClose(dupHandle);
}
else if (PhEqualString2(TypeName, L"TmTx", TRUE))
{
HANDLE dupHandle;
PPH_STRING description = NULL;
TRANSACTION_BASIC_INFORMATION basicInfo;
status = NtDuplicateObject(
ProcessHandle,
Handle,
NtCurrentProcess(),
&dupHandle,
TRANSACTION_QUERY_INFORMATION,
0,
0
);
if (!NT_SUCCESS(status))
goto CleanupExit;
status = PhGetTransactionPropertiesInformation(
dupHandle,
NULL,
NULL,
&description
);
if (NT_SUCCESS(status) && !PhIsNullOrEmptyString(description))
{
bestObjectName = description;
}
else
{
if (description)
PhDereferenceObject(description);
status = PhGetTransactionBasicInformation(
dupHandle,
&basicInfo
);
if (NT_SUCCESS(status))
{
bestObjectName = PhFormatGuid(&basicInfo.TransactionId);
}
}
NtClose(dupHandle);
}
else if (PhEqualString2(TypeName, L"Token", TRUE))
{
HANDLE dupHandle;
PTOKEN_USER tokenUser = NULL;
TOKEN_STATISTICS statistics = { 0 };
status = NtDuplicateObject(
ProcessHandle,
Handle,
NtCurrentProcess(),
&dupHandle,
TOKEN_QUERY,
0,
0
);
if (!NT_SUCCESS(status))
goto CleanupExit;
status = PhGetTokenUser(dupHandle, &tokenUser);
PhGetTokenStatistics(dupHandle, &statistics);
if (NT_SUCCESS(status))
{
PPH_STRING fullName;
fullName = PhGetSidFullName(tokenUser->User.Sid, TRUE, NULL);
if (fullName)
{
PH_FORMAT format[3];
PhInitFormatSR(&format[0], fullName->sr);
PhInitFormatS(&format[1], L": 0x");
PhInitFormatX(&format[2], statistics.AuthenticationId.LowPart);
bestObjectName = PhFormat(format, 3, fullName->Length + 8 + 16);
PhDereferenceObject(fullName);
}
PhFree(tokenUser);
}
NtClose(dupHandle);
}
CleanupExit:
if (!bestObjectName)
{
bestObjectName = ObjectName;
PhReferenceObject(ObjectName);
}
*BestObjectName = bestObjectName;
return STATUS_SUCCESS;
}
